RP2006: Lateral movement using SCM

Summary

ID	RP2006
Brief Description	Response playbook for detected lateral movement by abusing service configuration manager by changing the service binpath.
Author	@Cyberok
Creation Date	2023/02/03
Modification Date	2023/04/23
Tags	Status: Stable Severity:High Tlp: Amber Pap: White Windows
Usecases	Lateral movement via Service Configuration Manager

Description

To realize the lateral movement tactic, adversaries will have to use tools that let them manipulate the host and system (it will be significantly more challenging to do without them).

Basically, defenders can identify use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

Workflow

For better triage and response actions result you need to identify and analyze artifacts from use case.

Identify means of attack. Both tools rely on ChangeServiceConfigA API call to change the Image Path of the service configuration :
```
result = ChangeServiceConfig(serviceInfo.serviceHandle, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, options.payload, null, IntPtr.Zero, null, null, null, null);
```
SharpNoPSExec will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them.
More likely, successful attack attempt will leave traces. Examine specific events to extract useful artifacts like:
- win event id 5145 - Relative Target Name, Share Name fields
- sysmon event id 13 - TargetObject field
- sysmon event id 1 - Process Name, Process Parent Name fields
Try to collect and analyse network logs with any network security monitoring tool. For example, used Zeek event logs to observe network events generated such an attack:
```
DCERPC Protocol :
  DCE-RPC Operation : QueryServiceConfigA followed by ChangeServiceConfigA
  DCE-RPC Endpoint : svcctl
```
Take any containment action depending on the situation and level of asset's criticality.
For example, if lateral movement is successful and it can be still used over infrastructure, it will be reasonable to limit access by IP or by DCE-RPC content pattern:
- block internal ip address
- block data transferring by content pattern
Take any eradication action depending on the situation and level of asset's criticality.
For example, this attack assumes some service to be injected, so after defining the compromised service it's need to be removed and replaced with original one:
- Remove service
Take recovery action depending on previous containment and eradication actions:
- Recover modification
Report incident, remove security breaches, conduct lessons learned exercises.

Response discovery mapping

ARTIFACT	RESPONSE ACTION	RESPONSE ACTION OBSERVABLES
File	Identify means of attack Look for well-known tool observables	Lateral movement tool
RPC Network Traffic	List hosts communicated with internal ip Find data transferred by content pattern Identify affected systems and users Look for attacker's destination host	Compromised host
Service Application	Examine content Remove service Look for injected service, examine changing BinPath services	Lateral movement artifact
Credentials	Reset password Find compromised credentials from lateral movent artifacts and reset them	Compromised/Clean password

P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host and Remote Procedure Call ) should be used in Operational Preparations and as incoming arguments for other response actions, for example

response action: find process by executable content pattern

find_process_by_executable_content_pattern (enabled=True, host, process_content)

Response mindmap diagram

Playbook Actions

RP2006: Lateral movement using SCM

Summary

Description

Workflow

Response discovery mapping

Response mindmap diagram

Playbook Actions

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Artifacts