Persistence via Update Orchestrator Service Hijack
Detection of potential hijacking of the Microsoft Update Orchestrator Service to establish persistence and privilege escalation by monitoring uncommon processes spawned by `svchost.exe` with `UsoSvc` as command-line parameters.
This threat brief addresses the potential hijacking of the Microsoft Update Orchestrator Service, a technique attackers can use to establish persistence and escalate privileges on Windows systems. The Update Orchestrator Service, a DCOM service, is used by other components to install downloaded Windows updates. A vulnerability, CVE-2020-1313, allowed for elevation of privileges (any user to local system) due to improper authorization, impacting Windows 10 and Windows Server Core products. Microsoft patched this vulnerability in June 2020. This attack involves spawning uncommon processes from svchost.exe with the UsoSvc parameter, deviating from the expected behavior of legitimate update processes. Defenders should monitor process creations associated with svchost.exe and the Update Orchestrator Service to identify and mitigate potential exploitation attempts.
Attack Chain
- An attacker gains initial access to the system through an unspecified method (e.g., exploiting an existing vulnerability, social engineering).
- The attacker leverages CVE-2020-1313 or a similar technique to gain elevated privileges.
- The attacker modifies or replaces a legitimate executable or DLL used by the Update Orchestrator Service.
- The attacker triggers the Update Orchestrator Service, typically through
svchost.exewith theUsoSvcparameter. svchost.exespawns a malicious process, masquerading as a legitimate update task.- The malicious process executes with SYSTEM privileges, allowing the attacker to perform privileged actions.
- The attacker establishes persistence by creating scheduled tasks or modifying registry keys, ensuring the malicious process runs even after a reboot.
- The attacker achieves their final objective, such as deploying ransomware, exfiltrating sensitive data, or establishing a remote access backdoor.
Impact
Successful exploitation allows an attacker to gain SYSTEM-level privileges on the compromised machine. This enables them to install malicious software, modify system configurations, steal sensitive data, and potentially pivot to other systems on the network. Given the high privileges associated with the Update Orchestrator Service, a successful hijack represents a critical security risk. While no victim numbers are available, the widespread use of Windows 10 and Windows Server Core makes this vulnerability a significant threat across various sectors.
Recommendation
- Deploy the Sigma rule "Detect Uncommon Processes Spawned by Update Orchestrator Service" to identify suspicious processes launched by
svchost.exewithUsoSvc(rule). - Monitor process creation events, specifically looking for unexpected executables spawned by
svchost.exewithUsoSvcas a command-line argument (log source). - Investigate any alerts generated by the Sigma rule, focusing on the parent process tree, file locations, and digital signatures of the spawned processes (rule).
- Patch CVE-2020-1313 on all Windows 10 and Windows Server Core systems (CVE-2020-1313).
Detection coverage 2
Detect Uncommon Processes Spawned by Update Orchestrator Service
highDetects suspicious processes spawned by svchost.exe with UsoSvc as command line parameters, indicating a potential Update Orchestrator service hijack.
Detect Update Orchestrator Service Hijack via Image Load
mediumDetects the loading of unusual DLLs by svchost.exe running the Update Orchestrator service (UsoSvc), indicating potential service hijacking.
Detection queries are available on the platform. Get full rules →