Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker attempts to move laterally to other systems.
3. The attacker establishes a connection to the target system’s services.exe process over RPC using a high port (>= 49152).
4. The attacker uses the established RPC connection to create or start a new service on the remote system.
5. The services.exe process on the remote system spawns a child process related to the newly created or started service.
6. This new process executes the attacker’s payload, potentially granting further access or executing malicious commands.
7. The attacker leverages the newly executed service for persistent access or further lateral movement.

Impact

A successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.
• Enable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.
• Investigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.
• Consider excluding known remote management tools from triggering the detection by adding exceptions based on process.executable or process.args in the Sigma rules.
• Monitor the network for unusual RPC activity, especially connections to services.exe from unexpected source IPs.