CAR-2014-03-005: Remotely Launched Executables via Services
There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.
When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Create or Modify System Process | Windows Service | Persistence | Moderate |
| System Services | Service Execution | Execution | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-RTA | RPC Traffic Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| flow | start | pid |
| process | create | parent_exe |
| process | create | pid |
Implementations
Pseudocode
Look for processes launched from services.exe within 1 second of services.exe receiving a network connection.
process = search Process:Create
flow = search Flow:Start
service = filter process where (parent_exe == "services.exe")
remote_start = join (flow, service ) where (
flow.hostname == service.hostname and
flow.pid == service.pid and
(flow.time < service.time < flow.time + 1 second)
)
output remote_start