UC0041: Lateral movement via Service Configuration Manager
Summary
| ID | UC0041 |
|---|---|
| Brief Description | Execute commands on a remote host by abusing service configuration manager by changing the service binpath. |
| Author | Alex@Cyberok |
| Creation Date | 2023/02/28 |
| Modification Date | 2023/02/28 |
| ATT&CK Techniques | |
| Tags |
|
| Linked Response Playbooks | |
| Artifacts |
Description
It's possible to execute commands on a remote host by abusing service configuration manager by changing the service binpath to your malicious command and restarting the service so your payload gets executed - this is all automated by a nice tool SCShell.
The utility can be used remotely WITHOUT registering a service or creating a service. It also doesn't have to drop any file on the remote system* (Depend on the technique used to execute), so SCShell is a fileless lateral movement that relies on ChangeServiceConfigA to run commands. It does not perform authentication against SMB, everything is performed over DCERPC.
There is also a tool SharpNoPSExec with same functionality (File less command execution for lateral movement).
SharpNoPSExec will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them. Once it select the service it will save its current state, replace the binary path with the payload of your choise and execute it.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Credentials | User's credentials (login and password) | It's used as arguments for lateral movent actions |
| Remote Procedure Call | RPC | SCShell utilizes authentication over DCERPC |
| File | SCShell or other similar tool | Fileless lateral movement tool |
| Side Observables | ||
| RPC Network Traffic | Generated network traffic | Network traffic generated by using SCShell DCERPC module |
| Service Application | Victim service | Service which is used for abuse and changing binpath |
Attack results
Successfull attack allows to execute commands on the remote host.
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Privileged Access | Compromised host with privileged access |
| Credential Access | Any user's credentials |
| Result Consequences | |
| Remote Code Execution | Attacker gets an ability to execute commands on the remote host |
Attack progress
1) Scshell expects the following arguments: target, service, payload, username, domain, password:
.\scshell.exe ws01 XblAuthManager "C:\windows\system32\cmd.exe /c echo 'lateral hello' > c:\temp\lat.txt" username domain password
From the defensive side, you may want to consider about monitoring services that change their binPaths "too often" as this may not be normal in your environment, especially if the binPath is "very" different to the previously known good value and if the service configuration is being changed over the network:
Attack diagram
