Remote Service creation¶
Metadata¶
collaborators |
[‘@Cyb3rWard0g’, ‘@Cyb3rPandaH’] |
creation date |
2019/08/15 |
modification date |
2020/09/20 |
playbook related |
[‘WIN-190813181020’] |
Hypothesis¶
Adversaries might be creating new services remotely to execute code and move laterally in my environment
Technical Context¶
None
Offensive Tradecraft¶
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service. Adversaries can create services remotely to execute code and move lateraly across the environment.
Mordor Test Data¶
metadata |
https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-190518210652.html |
link |
Analytics¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor Dataset¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psexec_dcerpc_tcp_svcctl.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Analytic I¶
Look for new services being created in your environment under a network logon session (3). That is a sign that the service creation was performed from another endpoint in the environment
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
Service |
Microsoft-Windows-Security-Auditing |
User created Service |
4697 |
Authentication log |
Microsoft-Windows-Security-Auditing |
User authenticated Host |
4624 |
df = spark.sql(
'''
SELECT o.`@timestamp`, o.Hostname, o.SubjectUserName, o.SubjectUserName, o.ServiceName, a.IpAddress
FROM mordorTable o
INNER JOIN (
SELECT Hostname,TargetUserName,TargetLogonId,IpAddress
FROM mordorTable
WHERE LOWER(Channel) = "security"
AND EventID = 4624
AND LogonType = 3
AND NOT TargetUserName LIKE "%$"
) a
ON o.SubjectLogonId = a.TargetLogonId
WHERE LOWER(o.Channel) = "security"
AND o.EventID = 4697
'''
)
df.show(10,False)
+-----------------------+---------------------------+---------------+---------------+-----------+-----------+
|@timestamp |Hostname |SubjectUserName|SubjectUserName|ServiceName|IpAddress |
+-----------------------+---------------------------+---------------+---------------+-----------+-----------+
|2020-09-20 12:16:58.214|WORKSTATION6.theshire.local|pgustavo |pgustavo |Updater |172.18.39.5|
+-----------------------+---------------------------+---------------+---------------+-----------+-----------+
Known Bypasses¶
Idea |
Playbook |
---|
False Positives¶
None
Hunter Notes¶
If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit.
Identify the source of unique services being created everyday. I have seen Microsoft applications doing this.
Stack the values of the service file name associated with the new service.
Document what users create new services across your environment on a daily basis
Hunt Output¶
Type |
Link |
---|
References¶
https://www.powershellempire.com/?page_id=523