<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Windows Server Core - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/windows-server-core/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/windows-server-core/feed.xml" rel="self" type="application/rss+xml"/><item><title>Persistence via Update Orchestrator Service Hijack</title><link>https://feed.craftedsignal.io/briefs/2024-01-update-orchestrator-hijack/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-update-orchestrator-hijack/</guid><description>Detection of potential hijacking of the Microsoft Update Orchestrator Service to establish persistence and privilege escalation by monitoring uncommon processes spawned by `svchost.exe` with `UsoSvc` as command-line parameters.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential hijacking of the Microsoft Update Orchestrator Service, a technique attackers can use to establish persistence and escalate privileges on Windows systems. The Update Orchestrator Service, a DCOM service, is used by other components to install downloaded Windows updates. A vulnerability, CVE-2020-1313, allowed for elevation of privileges (any user to local system) due to improper authorization, impacting Windows 10 and Windows Server Core products. Microsoft patched this vulnerability in June 2020. This attack involves spawning uncommon processes from <code>svchost.exe</code> with the <code>UsoSvc</code> parameter, deviating from the expected behavior of legitimate update processes. Defenders should monitor process creations associated with <code>svchost.exe</code> and the Update Orchestrator Service to identify and mitigate potential exploitation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the system through an unspecified method (e.g., exploiting an existing vulnerability, social engineering).</li>
<li>The attacker leverages CVE-2020-1313 or a similar technique to gain elevated privileges.</li>
<li>The attacker modifies or replaces a legitimate executable or DLL used by the Update Orchestrator Service.</li>
<li>The attacker triggers the Update Orchestrator Service, typically through <code>svchost.exe</code> with the <code>UsoSvc</code> parameter.</li>
<li><code>svchost.exe</code> spawns a malicious process, masquerading as a legitimate update task.</li>
<li>The malicious process executes with SYSTEM privileges, allowing the attacker to perform privileged actions.</li>
<li>The attacker establishes persistence by creating scheduled tasks or modifying registry keys, ensuring the malicious process runs even after a reboot.</li>
<li>The attacker achieves their final objective, such as deploying ransomware, exfiltrating sensitive data, or establishing a remote access backdoor.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an attacker to gain SYSTEM-level privileges on the compromised machine. This enables them to install malicious software, modify system configurations, steal sensitive data, and potentially pivot to other systems on the network. Given the high privileges associated with the Update Orchestrator Service, a successful hijack represents a critical security risk. While no victim numbers are available, the widespread use of Windows 10 and Windows Server Core makes this vulnerability a significant threat across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Uncommon Processes Spawned by Update Orchestrator Service&quot; to identify suspicious processes launched by <code>svchost.exe</code> with <code>UsoSvc</code> (rule).</li>
<li>Monitor process creation events, specifically looking for unexpected executables spawned by <code>svchost.exe</code> with <code>UsoSvc</code> as a command-line argument (log source).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the parent process tree, file locations, and digital signatures of the spawned processes (rule).</li>
<li>Patch CVE-2020-1313 on all Windows 10 and Windows Server Core systems (CVE-2020-1313).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>persistence</category><category>privilege-escalation</category><category>windows</category></item></channel></rss>