{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-server-core/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2020-1313"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows 10","Windows Server Core"],"_cs_severities":["high"],"_cs_tags":["persistence","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the potential hijacking of the Microsoft Update Orchestrator Service, a technique attackers can use to establish persistence and escalate privileges on Windows systems. The Update Orchestrator Service, a DCOM service, is used by other components to install downloaded Windows updates. A vulnerability, CVE-2020-1313, allowed for elevation of privileges (any user to local system) due to improper authorization, impacting Windows 10 and Windows Server Core products. Microsoft patched this vulnerability in June 2020. This attack involves spawning uncommon processes from \u003ccode\u003esvchost.exe\u003c/code\u003e with the \u003ccode\u003eUsoSvc\u003c/code\u003e parameter, deviating from the expected behavior of legitimate update processes. Defenders should monitor process creations associated with \u003ccode\u003esvchost.exe\u003c/code\u003e and the Update Orchestrator Service to identify and mitigate potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method (e.g., exploiting an existing vulnerability, social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages CVE-2020-1313 or a similar technique to gain elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or replaces a legitimate executable or DLL used by the Update Orchestrator Service.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the Update Orchestrator Service, typically through \u003ccode\u003esvchost.exe\u003c/code\u003e with the \u003ccode\u003eUsoSvc\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvchost.exe\u003c/code\u003e spawns a malicious process, masquerading as a legitimate update task.\u003c/li\u003e\n\u003cli\u003eThe malicious process executes with SYSTEM privileges, allowing the attacker to perform privileged actions.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating scheduled tasks or modifying registry keys, ensuring the malicious process runs even after a reboot.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as deploying ransomware, exfiltrating sensitive data, or establishing a remote access backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to gain SYSTEM-level privileges on the compromised machine. This enables them to install malicious software, modify system configurations, steal sensitive data, and potentially pivot to other systems on the network. Given the high privileges associated with the Update Orchestrator Service, a successful hijack represents a critical security risk. While no victim numbers are available, the widespread use of Windows 10 and Windows Server Core makes this vulnerability a significant threat across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Uncommon Processes Spawned by Update Orchestrator Service\u0026quot; to identify suspicious processes launched by \u003ccode\u003esvchost.exe\u003c/code\u003e with \u003ccode\u003eUsoSvc\u003c/code\u003e (rule).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events, specifically looking for unexpected executables spawned by \u003ccode\u003esvchost.exe\u003c/code\u003e with \u003ccode\u003eUsoSvc\u003c/code\u003e as a command-line argument (log source).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process tree, file locations, and digital signatures of the spawned processes (rule).\u003c/li\u003e\n\u003cli\u003ePatch CVE-2020-1313 on all Windows 10 and Windows Server Core systems (CVE-2020-1313).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-update-orchestrator-hijack/","summary":"Detection of potential hijacking of the Microsoft Update Orchestrator Service to establish persistence and privilege escalation by monitoring uncommon processes spawned by `svchost.exe` with `UsoSvc` as command-line parameters.","title":"Persistence via Update Orchestrator Service Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-update-orchestrator-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows Server Core","version":"https://jsonfeed.org/version/1.1"}