Hey friend, welcome to this short series on hunting for persistence!
In this series I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you a virtualised battleground to test your cyber capabilities!
Each entry in this series will cover a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, but this series will cover:
1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
4. Startup Folder — where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
Previously we focused on Registry Run Keys and Scheduled Tasks. These posts were accompanied by the Registry Run Persistence and Scheduled Task Persistence campaigns, respectively. Both of these campaigns can be found on Cympire and it is highly recommended tackling these to round out your knowledge of how attackers maintain persistence. Try out these campaigns for FREE by following this link.
In this instalment of the series we will be focusing on Windows Services as a persistence mechanism.
What are Windows Services?
Windows Services are background processes that run on the Windows operating system and perform specific functions, such as updating software, running backups, and managing network connections. These services run continuously in the background, even when no user is logged in, and can be configured to start automatically when the operating system starts up.
Examples of Windows services include the Windows Update service, the Remote Procedure Call (RPC) service, and the Print Spooler service. By running as services, these processes are separate from the user interface and can operate independently, providing more stability and reliability for the operating system and the applications that run on it.
However, attackers can use Windows Services as a means of achieving their malicious goals. This can be done in two ways:
- They can use a misconfigured or vulnerable Windows service to escalate their privileges.
- They can create a Windows service that runs their malicious program on boot and allows them to remain persistent on the compromised machine.
We will be focusing on the second of these use cases to see how bad guys use Windows Services as a persistence mechanism.
Attackers can configure a malicious service to start automatically at boot, providing them with persistent access to the system, even after a reboot. This service will be configured to run a Command and Control (C2) implant/agent or a “downloader” (which will automatically download a implant/agent in a obfuscated way). A C2 implant is a type of malware that allows attackers to remotely control a compromised system. The C2 implant provides the attacker with a means of communicating with the compromised system and issuing commands to it via a C2 server. Once installed, the implant allows an attacker to perform a variety of nefarious actions on a compromised system, including:
- Stealing sensitive data
- Exfiltrating data from the system
- Installing additional malware or tools
- Running malicious code or scripts
- Taking screenshots or capturing keyboard input
C2 implants are often highly sophisticated and are designed to be difficult to detect and remove. They can use encrypted communication channels and often have the ability to evade security software and hide their presence on the system.
Creating Windows Services for Persistence
Windows Services are typically created by applications you install on your machine. These services are usually update-based or telemetry-based. They feed data to/from the application in order to improve it and make it more stable. Administrators may also add Windows Services, but this is usually left to the software they install.
All services can be viewed through the Services app in Windows. This shows all the services configured on your system, their Status, their Startup Type, and the user they are logged in as. Malicious services will have the Start Type of Automatic or Automatic (Delayed Start), meaning they execute when the machine is turned on so that their C2 implant connects back to their C2 server and they can take control of the machine.
Attackers will create their malicious services by either modifying existing services (through vulnerabilities and misconfigurations) and making these services execute their malware, or by creating new services. Services can be modified or created using a hacking tool, such as SharPersist, which will use native Windows functionality (e.g. PowerShell, Windows API calls through C#, etc.) or by using native Windows tools executed using the command line.
If an attacker choses to use native Windows tools they are likely to use the sc.exe Windows executable. This is a Living of the Land binary (LOLBAS) that attackers will abuse to create or modify Windows services and install a persistence mechanism. The following command modifies an existing service (<existing>) and executes the file stored in the ADS folder (the additional backslashes are used to escape other characters):
sc config <existing> binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" & sc start <existing>An Attacker can also use PowerShell to create or modify Windows Services. PowerShell is often abused by adversaries because of it’s prevalence in corporate environments. Nowadays, organisations have PowerShell heavily locked down and PowerShell logging enabled on endpoints to mitigate this risk. The following command creates a new Windows service called MalService that will run every time the system is booted up and executes the malware at C:\path\to\my\malware.exe.
$params = @{
Name = "MalService"
BinaryPathName = '"C:\path\to\my\malware.exe"'
DisplayName = "Malicious Service"
StartupType = "Automatic"
Description = "This is a malicious service."
}
New-Service @paramsIt is important to mention that Windows Services do not work with regular executable files. One must create a service binary file in order for it to execute.
Hunting for persistence mechanisms is often a fertile ground for a threat hunter as the adversary usually has to make configuration changes and drop their malware (C2 implant) to disk. Services are a good example of this as an attacker has to make changes to the compromised system and have their service point to a malicious service binary stored on the system’s disk (or where it is downloaded from).
Let’s Get Our Hands Dirty!
I find the best way of learning is doing. Lets see how malicious services are used as persistence mechanisms in the real world.
With help from the team at Cympire I have created a threat hunting campaign which will demonstrate how attackers create and use Windows Services to maintain persistence on a compromised Windows machine. The campaign walks you through how to create these malicious Windows Services in an interactive and fun environment that uses real-world hacking tools.
Once you install your persistence mechanism you will jump over to an Attacker machine where you will be able to see how your C2 implant stays persistent even if the victim reboots their machine. The C2 implant gives you a reverse shell on a Target machine that allows you to perform various nefarious actions. When you are finished playing the role of the bad guy you can then hunt for this persistence mechanism using Splunk.
Splunk is a platform for collecting, searching, analysing, and visualizing machine-generated big data. It is commonly used for security information and event management (SIEM), log management, and IT operations. It is a powerful tool that helps large enterprises, government agencies, and small to medium-sized businesses make sense of machine data and turn it into actionable insights.
We will use the Splunk “Search & Reporting App” to hunt for the malicious service you installed using special syntax known as Search Processing Language (SPL). This query language is widely used in the security industry and allows us to perform powerful searches that reveal malicious or suspicious behaviour.
Finally, we will kick the adversary off of the compromised endpoint using the Windows Services application and regain control of the Windows machine!
To play along with this campaign simply navigate to this link and get started for FREE. Here you can sign up for the Cympire platform and tackle the Service Persistence campaign I have created just for you.
Feel free to let me know how you get on and if you would like to see any other threat hunting campaigns!
Discover more in the Hunting for Persistence with Cympire series!
