Service-Creation — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/service-creation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 12:00:00 +0000Service Control Executed from Script Interpretershttps://feed.craftedsignal.io/briefs/2024-01-02-service-control-script-spawn/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-service-control-script-spawn/Detection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.This detection identifies instances where the Service Control utility (sc.exe) is executed from within a script interpreter, such as cmd.exe, PowerShell, or wscript.exe. Attackers may leverage this behavior to create, modify, or start Windows services, often with the intent to elevate privileges or establish persistence on a compromised system. The sc.exe is a legitimate Windows command-line tool used for managing services. Abusing this tool allows attackers to perform malicious actions under the guise of legitimate system administration. This detection is designed to identify anomalous use of sc.exe that deviates from typical administrative tasks, focusing on instances where it’s spawned from scripting environments often used for malicious activities. The rule specifically excludes service creations performed by the SYSTEM user.

Attack Chain

  1. An attacker gains initial access to a Windows system via an exploit or compromised credentials.
  2. The attacker executes a script interpreter (e.g., cmd.exe, powershell.exe).
  3. Within the script interpreter, the attacker uses sc.exe to manage Windows services.
  4. The sc.exe command is used with arguments such as “create”, “start”, “stop”, “delete”, or “config” to manipulate service configurations.
  5. A new service is created or an existing service is modified to execute a malicious payload.
  6. The malicious service is started, allowing the attacker to execute code with elevated privileges (SYSTEM).
  7. The attacker achieves persistence by ensuring the malicious service automatically starts upon system reboot.
  8. The attacker may use the created service to execute additional malicious commands or maintain remote access.

Impact

A successful attack could lead to complete system compromise with the attacker gaining SYSTEM level privileges. This can allow for lateral movement within the network, data exfiltration, or installation of persistent backdoors. While the frequency of this specific technique may be low, the potential impact is high due to the elevated privileges gained.

Recommendation

  • Deploy the Sigma rule Service Control Spawning via Script Interpreter to your SIEM to detect this specific behavior and tune it to your environment.
  • Monitor process creation events for sc.exe being executed by script interpreters like PowerShell or cmd.exe (as covered in the rule description).
  • Investigate any instances of sc.exe being used with the arguments “create”, “start”, “stop”, “delete”, or “config” from scripting environments to identify potentially malicious activity.
  • Ensure proper access controls are in place to limit the ability of users to create or modify services.
]]>lowadvisoryprivilege-escalationdefense-evasionexecutionwindowsservice-creation