<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Services - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/services/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/services/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unusual Persistence via Services Registry Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-unusual-service-registry-persistence/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-unusual-service-registry-persistence/</guid><description>Adversaries may modify the Windows services registry keys directly to stealthily persist through abnormal service creation or modification of an existing service, bypassing standard APIs, detected by monitoring registry changes related to service DLLs and image paths.</description><content:encoded><![CDATA[<p>Attackers often seek to establish persistence within a compromised system to maintain unauthorized access. One method involves directly modifying the Windows services registry keys, bypassing standard Windows APIs. This technique allows attackers to create or modify services stealthily, potentially evading detection by traditional security measures. The detection focuses on changes to <code>ServiceDLL</code> and <code>ImagePath</code> values within the services registry, specifically under <code>HKLM\SYSTEM\ControlSet*\Services\*</code>, <code>\REGISTRY\MACHINE\SYSTEM\ControlSet*\Services\*</code>, and <code>MACHINE\SYSTEM\ControlSet*\Services\*</code>. By monitoring these specific registry paths and filtering out known legitimate processes (e.g., <code>svchost.exe</code>, <code>services.exe</code>, and processes within <code>Program Files</code> or <code>Windows\System32</code>), security teams can identify suspicious service modifications indicative of malicious activity. This rule helps detect potential persistence mechanisms and unauthorized system modifications, improving overall security posture.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker gains initial access to the system via an exploit or phishing campaign (details not available in source).</li>
<li><strong>Privilege Escalation:</strong> The attacker escalates privileges to obtain necessary permissions to modify the registry (details not available in source).</li>
<li><strong>Identify Target Service:</strong> The attacker identifies a service to modify or creates a new service entry in the registry. The registry path is typically found under <code>HKLM\SYSTEM\ControlSet*\Services\*</code>.</li>
<li><strong>Modify ServiceDLL Value:</strong> The attacker modifies the <code>ServiceDLL</code> value in the registry to point to a malicious DLL. This DLL will be loaded when the service starts. Registry path: <code>HKLM\SYSTEM\ControlSet*\Services\*\ServiceDLL</code>.</li>
<li><strong>Modify ImagePath Value:</strong> Alternatively or additionally, the attacker modifies the <code>ImagePath</code> value to point to a malicious executable. This executable will be launched when the service starts. Registry path: <code>HKLM\SYSTEM\ControlSet*\Services\*\ImagePath</code>.</li>
<li><strong>Start the Service:</strong> The attacker starts the modified or newly created service, either manually or by triggering an event that causes the service to start automatically.</li>
<li><strong>Malicious Code Execution:</strong> The malicious DLL or executable specified in the registry key is loaded and executed with elevated privileges.</li>
<li><strong>Persistence Established:</strong> The attacker maintains persistent access to the system, as the malicious code will execute whenever the service is started.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to maintain persistent access to compromised systems, potentially leading to data theft, system compromise, or further lateral movement within the network.  The lack of specific victim numbers or industry targeting in the provided source prevents a more detailed impact assessment.  However, the wide use of Windows services makes this a potentially broad threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Windows Registry auditing to capture registry modification events, specifically monitoring the registry paths mentioned in the overview (<code>HKLM\SYSTEM\ControlSet*\Services\*</code>, <code>\REGISTRY\MACHINE\SYSTEM\ControlSet*\Services\*</code>, <code>MACHINE\SYSTEM\ControlSet*\Services\*</code>) (Log Source).</li>
<li>Deploy the Sigma rule &quot;Unusual Persistence via Services Registry Modification&quot; to detect unusual modifications to service registry keys, tuning the rule's filters to avoid false positives in your specific environment (Sigma Rule).</li>
<li>Investigate and remediate any alerts generated by the Sigma rule, focusing on processes modifying the <code>ServiceDLL</code> or <code>ImagePath</code> values within the specified registry paths (Sigma Rule).</li>
<li>Review and update endpoint protection policies to ensure that unauthorized registry modifications are detected and blocked (Endpoint Protection Policies).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>registry</category><category>windows</category><category>services</category></item></channel></rss>