{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/adminarsenal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SCCM"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Pella Corporation","AdminArsenal","ESET","Veeam"],"content_html":"\u003cp\u003eThis detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by \u003ccode\u003eservices.exe\u003c/code\u003e with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to \u003ccode\u003eservices.exe\u003c/code\u003e followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the target system\u0026rsquo;s \u003ccode\u003eservices.exe\u003c/code\u003e process over RPC using a high port (\u0026gt;= 49152).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established RPC connection to create or start a new service on the remote system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservices.exe\u003c/code\u003e process on the remote system spawns a child process related to the newly created or started service.\u003c/li\u003e\n\u003cli\u003eThis new process executes the attacker\u0026rsquo;s payload, potentially granting further access or executing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly executed service for persistent access or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.\u003c/li\u003e\n\u003cli\u003eConsider excluding known remote management tools from triggering the detection by adding exceptions based on \u003ccode\u003eprocess.executable\u003c/code\u003e or \u003ccode\u003eprocess.args\u003c/code\u003e in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eMonitor the network for unusual RPC activity, especially connections to \u003ccode\u003eservices.exe\u003c/code\u003e from unexpected source IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-remote-service-execution/","summary":"Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.","title":"Remote Execution of Windows Services via RPC","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — AdminArsenal","version":"https://jsonfeed.org/version/1.1"}