Attack Chain

1. Initial Access: The attacker gains initial access to the system through various means.
2. Privilege Escalation: The attacker attempts to escalate privileges to SYSTEM.
3. Service Creation: The attacker creates a new Windows service using tools like sc.exe or modifies an existing one.
4. Image Path Modification: The attacker sets the service’s ImagePath to point to a command interpreter (e.g., cmd.exe, powershell.exe) or a script file.
5. Command Execution: The service executes the command interpreter or script with SYSTEM privileges.
6. Persistence: The attacker configures the service to start automatically on system boot, ensuring persistent access.
7. Malicious Activity: The attacker uses the elevated privileges to perform malicious activities, such as installing malware, stealing credentials, or compromising other systems.

Impact

Successful exploitation allows attackers to maintain persistent access to the compromised system with SYSTEM privileges. This can lead to complete system compromise, data theft, installation of ransomware, and lateral movement to other systems within the network. The impact includes potential data breaches, financial losses, and reputational damage.

Recommendation

• Enable Windows Security Event Logs and Windows System Event Logs to capture service creation events (Event IDs 4697 and 7045).
• Deploy the Sigma rule Suspicious Service Installation via ImagePath to your SIEM to detect suspicious service creations.
• Investigate any alerts generated by the Sigma rule by examining the service’s ImagePath and associated processes.
• Use the Osquery queries provided in the source to investigate existing services, unsigned executables, and drivers for suspicious characteristics.
• Monitor for registry changes related to service creation or modification.