{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/services/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["persistence","registry","windows","services"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often seek to establish persistence within a compromised system to maintain unauthorized access. One method involves directly modifying the Windows services registry keys, bypassing standard Windows APIs. This technique allows attackers to create or modify services stealthily, potentially evading detection by traditional security measures. The detection focuses on changes to \u003ccode\u003eServiceDLL\u003c/code\u003e and \u003ccode\u003eImagePath\u003c/code\u003e values within the services registry, specifically under \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e, \u003ccode\u003e\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e, and \u003ccode\u003eMACHINE\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e. By monitoring these specific registry paths and filtering out known legitimate processes (e.g., \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003eservices.exe\u003c/code\u003e, and processes within \u003ccode\u003eProgram Files\u003c/code\u003e or \u003ccode\u003eWindows\\System32\u003c/code\u003e), security teams can identify suspicious service modifications indicative of malicious activity. This rule helps detect potential persistence mechanisms and unauthorized system modifications, improving overall security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access to the system via an exploit or phishing campaign (details not available in source).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to obtain necessary permissions to modify the registry (details not available in source).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Target Service:\u003c/strong\u003e The attacker identifies a service to modify or creates a new service entry in the registry. The registry path is typically found under \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify ServiceDLL Value:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eServiceDLL\u003c/code\u003e value in the registry to point to a malicious DLL. This DLL will be loaded when the service starts. Registry path: \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify ImagePath Value:\u003c/strong\u003e Alternatively or additionally, the attacker modifies the \u003ccode\u003eImagePath\u003c/code\u003e value to point to a malicious executable. This executable will be launched when the service starts. Registry path: \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStart the Service:\u003c/strong\u003e The attacker starts the modified or newly created service, either manually or by triggering an event that causes the service to start automatically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Execution:\u003c/strong\u003e The malicious DLL or executable specified in the registry key is loaded and executed with elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Established:\u003c/strong\u003e The attacker maintains persistent access to the system, as the malicious code will execute whenever the service is started.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to compromised systems, potentially leading to data theft, system compromise, or further lateral movement within the network.  The lack of specific victim numbers or industry targeting in the provided source prevents a more detailed impact assessment.  However, the wide use of Windows services makes this a potentially broad threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Registry auditing to capture registry modification events, specifically monitoring the registry paths mentioned in the overview (\u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e, \u003ccode\u003e\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e, \u003ccode\u003eMACHINE\\SYSTEM\\ControlSet*\\Services\\*\u003c/code\u003e) (Log Source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Unusual Persistence via Services Registry Modification\u0026quot; to detect unusual modifications to service registry keys, tuning the rule's filters to avoid false positives in your specific environment (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any alerts generated by the Sigma rule, focusing on processes modifying the \u003ccode\u003eServiceDLL\u003c/code\u003e or \u003ccode\u003eImagePath\u003c/code\u003e values within the specified registry paths (Sigma Rule).\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection policies to ensure that unauthorized registry modifications are detected and blocked (Endpoint Protection Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-unusual-service-registry-persistence/","summary":"Adversaries may modify the Windows services registry keys directly to stealthily persist through abnormal service creation or modification of an existing service, bypassing standard APIs, detected by monitoring registry changes related to service DLLs and image paths.","title":"Unusual Persistence via Services Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-service-registry-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - Services","version":"https://jsonfeed.org/version/1.1"}