Try in Splunk Security Cloud

Description

The following analytic identifies the use of svc-exe with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using svc-exe, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within C:\Windows\400619a.exe. Following, the binary will be added to the registry under key HKLM\System\CurrentControlSet\Services\400619a\ with multiple keys and values added to look like a legitimate service. Upon loading, services.exe will spawn the randomly named binary from \\127.0.0.1\ADMIN$\400619a.exe. The process lineage is completed with 400619a.exe spawning rundll32.exe, which is the default spawnto_ value for Cobalt Strike. The spawnto_ value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The spawnto_ process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-05-18
  • Author: Michael Haag, Splunk
  • ID: c448488c-b7ec-11eb-8253-acde48001122

ATT&CK

ID Technique Tactic
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe Processes.process_path=*admin$* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `services_escalate_exe_filter`

Associated Analytic Story

How To Implement

To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id

Kill Chain Phase

  • Exploitation
  • Privilege Escalation

Known False Positives

False positives should be limited as services.exe should never spawn a process from ADMIN$. Filter as needed.

RBA

Risk Score Impact Confidence Message
76.0 80 95 A service process $parent_process_name$ with process path $process_path$ in host $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1