CYB3RSN0RLAX
TwitterGitHubLinkedin
Searchโ€ฆ
About Cyb3rSn0rlax
๐Ÿ›ก๏ธ SOC Engineering
๐Ÿงž
Building an Open SIEM From Scratch
๐Ÿ›ก
A Primer to Detection Engineering Dimensions in a SOC Universe
๐Ÿ˜บ
GitHub Projects
ELK4QRadar
Automating ELK Health Check
๐Ÿ’พ
DFIR
DFIR-01 : $MFT
DFIR-02 : Journal Forensics
DFIR-03: RDP Authentication Artifacts
โ˜ข๏ธ DEATH : Detection Engineering And Threat Hunting
๐Ÿ”‘
TA0006 : Credential Access
๐Ÿฆ˜
TA0008 : Lateral Movement
Detecting Lateral Movement via Service Configuration Manager
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
๐Ÿ”Ž
Misc
Infosec Game-Sense
Powered By GitBook
Detecting Lateral Movement via Service Configuration Manager
Using Endpoint & Network telemetry to hunt for remote service usage for lateral movement

Descritption

It is possible to use Service Configuration Manager for executing fileless lateral movement, which is explained in SCShell by @MrUn1k0d3r and SharpNoPSExec by @JulioUrena tools repository that were used in this demo to simulate this type of attacks. "So instead of creating a service it simply remotely open a service and modify the binary path name via the ChangeServiceConfigA API."
Both tools rely on ChangeServiceConfigA API call to change the Image Path of the service configuration :
result = ChangeServiceConfig(serviceInfo.serviceHandle, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, options.payload, null, IntPtr.Zero, null, null, null, null);
โ€‹SharpNoPSExec will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them.

The attack

Showing bellow the simulation using SCShell tool where you have to specify the service name you wanna use, in my case I used the default arguments provided with the tool XblAuthManager.

Endpoint Telemetry

On the target system we noticed these endpoint events
Event ID 5145 :
  • A network share object was checked to see whether client can be granted desired access
  • Relative Target Name : svcctl
  • Share Name : \\*\IPC$
Event ID 13 :
  • Registry Value Set
  • TargetObject : HKLM\System\CurrentControlSet\Services\<servicename>\ImagePath
Event ID 1:
  • Process created
  • Process Name : cmd.exe
  • Process Parent Name : services.exe

Network Telemetry

In this threat hunting lab we used Zeek event logs to observe network events generated such an attack.
DCERPC Protocol :
  • DCE-RPC Operation : QueryServiceConfigA followed by ChangeServiceConfigA
  • DCE-RPC Endpoint : svcctl

EQL Detections

Endpoint:

Network:

To see more details, I provided bellow a PCAP capture of the attack.
LM_Fileless_Lateral_Movement_ChangeServiceConfigA.pcap
8KB
Binary
PCAP Lateral Movement via SCManager

References

ChangeServiceConfigA function (winsvc.h) - Win32 apps
docsmsft
โ˜ข๏ธ DEATH : Detection Engineering And Threat Hunting - Previous
TA0008 : Lateral Movement
Next
Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
Last modified 9mo ago
Copy link
On this page
Descritption
The attack
Endpoint Telemetry
Network Telemetry
EQL Detections
Endpoint:
Network:
References