Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. The “binPath” is the location that points the service to the binary that need to execute when the service is started Windows provides a functionality in order to perform certain actions when a service fails to start or it’s correspondence process is terminated. Specifically a command can be executed when a service is killed. The registry key that controls this action is the “FailureCommand” and it’s value will define what will executed
Credit(s): Sreeman
Example:
sc config Fax binPath= "C:\Windows\System32\suspicious.exe" start="auto" obj="LocalSystem"
sc failure Fax command= ""c:\Windows\system32\malicious.exe""
Reference:
https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml#L8
Related
{{mitre("T1543.003")}}
{{mitre("T1574.011")}}
Data Source(s): Process
let selection_sc_1 = dynamic(['sc','config ','binpath=']);
let selection_sc_2 = dynamic(['sc','failure','command=']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where InitiatingProcessParentFileName <> "msiexec.exe"
| where FolderPath endswith "sc.exe"
| where (ProcessCommandLine has_all (selection_sc_1) or ProcessCommandLine has_all (selection_sc_2))
//| summarize count(), earliest_Timestamp=min(TimeGenerated) by AccountDomain, AccountName, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, ProcessCommandLine, TenantId
- Examine the process that initiates the action, if it's suspicious
- Determine the executable locations, is it expected
- If process looks suspicious, check file hashes if malicous or not
- Driver/ agents installation
Version 1.1 (date: 13/02/2024)