New Service

00:00

hello and welcome to another application of the minor attack framework discussion. Today, we're going to be looking at persistence mechanism known as new service. So with that, let's go ahead and jump into our objectives.

00:15

So the objectives up today's discussion are to describe what new service is with respect to the framework.

00:20

How has new service been used? Some mitigation techniques and some detection techniques.

00:26

So new service is when a threat actor or actors take advantage of systems by installing a new service that can be configured to execute it. Startup. Using utilities to interact with the service or by modifying the registry.

00:42

So threat actors will typically name services after legit software to attempt to circumvent controls or bypass detection methods. Services are commonly used to perform privilege escalation to get an administrator account to system level again.

00:58

Sometimes US services run at system level, and you can go in and do a quick control ult elite. And so, while we're sitting here,

01:06

I can actually go ahead and demonstrate that

01:08

so I hit control delete.

01:11

Click outside of that

01:15

and then if we go into task manager and we actually look at some of the services here.

01:23

A threat actor could potentially attempt to run as any given service in these areas. And so it's got groups and things of that nature and like a local service. And if we go into the details and look here, we'll actually see that a number of services are running a system

01:41

and things of that nature. And so

01:44

if a threat actor is able to take ah particular service and run as that service, like, inject itself into that, uh, and take over that particular P I D or something of that nature, they could potentially have system level privilege. And so

02:00

this particular type of attack could be very beneficial for a threat actor if they're able to get system level

02:07

access. So let's talk about the Trojan Rocky Manu eso Ricky Manu is a Trojan that stills information from the compromised system. And so, just to give you an idea of how this works, it creates be following files. So in the help

02:25

C n d y dot dat, and then it does I r m o n dot de l. L.

02:30

And so then it. After creating these two areas here, will create the following service I arm on, which is the name of the service. It will have an image path as follows here

02:45

and then the description. It will actually have a written out description. And so it indicates here that infrared port monitor is present for all computers with infrared ports. It initiates file transfers between your computer and another device, like a PD A or mobile phone.

03:00

So very interesting. So if we're not savvy, if we're not really paying attention,

03:06

if we don't know what we're looking for, this could potentially sneak under the radar as far as having that installed on us, never knowing the difference.

03:15

So let's go ahead and look at some mitigation techniques for this as well. So limit user account privileges to those necessary and do not allow accounts to have administrative access again for daily tasks. Utilize malware detection and prevention tools to slow down or stop known variants of these types of attacks.

03:36

Again, there may be components of these packages that could be undetected if even if the animals were able to get, it may be providing a false sense of security,

03:46

and again we keep coming back to not allowing administrative access for daily tasks. I know that that's becoming redundant, but it is a mitigating technique for several of these areas within persistence.

04:00

Now let's talk about some detection techniques at a high level. We can monitor service creation and changes in the registry. And so we shouldn't be making daily changes to our registry. Eso. Anytime changes occurred, we would want to alert on that and evaluated to see if it was legitimate. Activity.

04:17

Analysis should be done on multiple events to determine if a threat actor is potentially in the network. And so what this means

04:24

is you don't want to do a one for 11 thing happens, we review it. One thing happens. We look at it. We want to take a group of events, cluster those together and see if those activities correlate with things that a threat actor would be doing. A network scan in map scans

04:40

attempts to load software's attempts to do privilege escalation. All of that may be

04:45

ties back. Teoh known bad I P addresses that something tried to reach out to

04:50

again. So you can't take, you know, a single event and tie it back to a threat actor. In most cases, you'll have to take multiple events, put them all together and kind of create a chain of attacks that this threat actor was moving through.

05:05

And so look for changes in systems that do not correlate with patching or other system management practices. So if there was no patching going on that day, if we weren't supposed to be making changes, if there was nothing on the calendar for us to be doing,

05:19

why did it happen? And if something is different, or if something's out of place, then it makes sense to evaluate it and see if you can tie it back to either legitimate function or business function or if it is indeed a threat actor.

05:33

Now, let's do a quick check on learning. Implementing a new service does not allow threat actors to get system level access.

05:45

All right, well, if you need additional time to evaluate the statement, please do so. So the key thing here is is that implementing a new service okay does not allow the threat actor to gain system level access. When we just did a quick look at the command prompt are the

06:01

task manager and we found that there were a number of services running at system

06:05

levels. So

06:08

this is

06:10

a false statement. A threat actor could be allowed

06:15

okay to get system level access by implementing a new service, depending on what they do. So with that, let's go ahead and jump over to our summary. So we described what new services and essentially, this is where a threat actor either injects themselves into a current service or creates a new service on a system.

06:32

We review how the new service has been used or how it could be used by evaluating a particular Trojan and some things that it does to the system.

06:41

We reviewed some mitigation techniques, and we looked at some detection techniques. So as well. Again, we will continue to generate any time. It is pertinent that administrative access in limited quantities is good. Least privilege is good. Ah, high number of these attack vectors are mitigated by things that weaken dio

06:59

with little to no cost to our organizations.