Threat Hunting #26 - Remote Windows Service Creation / Recon

Interacting remotely with windows services is one way to execute programs remotely as well as persisting across system reboots. It can be done via different utilities (sc.exe, WMI etc.) but in this post we will be focusing more on artifacts and methods to detect this based on static behavioral indicators and independently from the used utilities.

A) Create remotely a service using legit windows built-in utilities:

Example of a command to create remotely a new service "remotesvc" on host 1.2.3.4 that persist system reboot and executes cmd.exe:

sc \\1.2.3.4 create remotesvc binpath= cmd.exe type= own start= auto

From the source machine, we can see clearly sc.exe is connecting to a remote host and source|destination ports are both dynamic RCP port numbers [TCP 49152-65535]:

Monitoring sc.exe process execution command line and network connections is good but not resilient enough and can be bypassed easily as a detection (a.k.a rename sc.exe to something else and run it from another folder). 

On the target machine, the most interesting observed events are:

Windows Built-in:

• [System Events] Event-ID 7045: A service was installed on the system (expected, since we've created a service)
• [Security Events] Event-ID 5156: The Windows Filtering Platform has allowed a connection

If you enable System> Security System Extension in your Advanced Audit Policy GPO you will be able to see eventid 4697 in your security events and which is equivalent to 7045.  

Sysmon:

• [Sysmon RegValueSet] ID 13: Registry Value Set (HKLM\System\CurrentControlSet\services\<svcname>\*, which is expected since we've created a service)
• [Sysmon Network Connect] ID 3: Network Connection Detected

Both events 5156 and 3 (sysmon) contain same information and indicates incoming and/or outgoing network connections from the services.exe process to the source machine of our command. Which is a good indication of remote interaction with the service control manager on the target machine.

Sysmon's observed key events:

Windows's builtin observed key events:

B) Creating a remote service using external utilities (i.e. psexec, paexec, psexec_psh, remcom etc.):

The aforementioned third party utilities are extremely useful for an attacker to move laterally and expand the compromise. High level modus operandi is quite simple and similar across this category of utilities:

1. Extract a service PE from it's resource section or download it from elsewhere
2. Copy the extracted PE to the destination host
3. Register a service on the destination machine (with binpath pointing to the PE extracted in step 2) and send a start control to begin execution
4. Start Interacting with the remote machine

To detect reliably the above steps we will be using our best friend event 5145:

• [Security] EventID 5145 - A network share object was checked to see whether client can be granted desired access -> will help us to detect step 2 and 3 from the destination host security events:

Detection & Takeaways:

Correlation Rule 1 (standard remote service creation - windows builtin):

[EventID=5156 and ApplicationName like "*\services.exe" and SourceAddress != DestinationAddress and SourcePort>=49152 and DestinationPort>=49152 and SourceAddress!=Null and DestinationAddress!=Null] followed by (EventID=7045 or EventID=4697) within 1 min and same ComputerName.

Correlation Rule 2 (standard remote service creation - sysmon) :

[EventID=13 and TargetObject like "HKLM\System\CurrentControlSet\services\*"] followed by [EventID=3 and SourceIP != DestinationIP and SourcePort>=49152 and DestinationPort>=49152 and Image like "*\services.exe" and SourceIP!=Null and DestinationIP !=Null] within 1 minute and Same ComputerName.

Correlation Rule 3 (psexec family):

[EventID=5145 and ShareName=(\\*\ADMIN$ or \\*\C$) and event.payloads contains "WriteData"] followedby [EventID=5145 & ShareName='\\*\IPC$' and RelativeTargetName:'svcctl')] within 1min and with Same [AccountName, SourceAddres,Port] and Same ComputerName