Services Escalate Exe

Try in Splunk Security Cloud

Description

The following analytic identifies the use of svc-exe with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using svc-exe, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within C:\Windows\400619a.exe. Following, the binary will be added to the registry under key HKLM\System\CurrentControlSet\Services\400619a\ with multiple keys and values added to look like a legitimate service. Upon loading, services.exe will spawn the randomly named binary from \\127.0.0.1\ADMIN$\400619a.exe. The process lineage is completed with 400619a.exe spawning rundll32.exe, which is the default spawnto_ value for Cobalt Strike. The spawnto_ value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The spawnto_ process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2021-05-18
• Author: Michael Haag, Splunk
• ID: c448488c-b7ec-11eb-8253-acde48001122

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1548	Abuse Elevation Control Mechanism	Privilege Escalation, Defense Evasion

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `services_escalate_exe_filter`

Macros

The SPL above uses the following Macros:

• security_content_summariesonly
• security_content_ctime

services_escalate_exe_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Processes.dest
• Processes.user
• Processes.parent_process
• Processes.process_name
• Processes.process
• Processes.process_id
• Processes.parent_process_id

How To Implement

To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.

Known False Positives

False positives should be limited as services.exe should never spawn a process from ADMIN$. Filter as needed.

Associated Analytic Story

• Cobalt Strike

RBA

Risk Score	Impact	Confidence	Message
76.0	80	95	A service process $parent_process_name$ with process path $process_path$ in host $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
• https://attack.mitre.org/techniques/T1548/
• https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/index.htm#cshid=1085

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1