Services Escalate Exe

Services Escalate Exe

Description

The following analytic identifies the use of svc-exe with Cobalt Strike. The behavior typically follows after an adversary has already gained initial access and is escalating privileges. Using svc-exe, a randomly named binary will be downloaded from the remote Teamserver and placed on disk within C:\Windows\400619a.exe. Following, the binary will be added to the registry under key HKLM\System\CurrentControlSet\Services\400619a\ with multiple keys and values added to look like a legitimate service. Upon loading, services.exe will spawn the randomly named binary from \\127.0.0.1\ADMIN$\400619a.exe. The process lineage is completed with 400619a.exe spawning rundll32.exe, which is the default spawnto_ value for Cobalt Strike. The spawnto_ value is arbitrary and may be any process on disk (typically system32/syswow64 binary). The spawnto_ process will also contain a network connection. During triage, review parallel procesess and identify any additional file modifications.

   Help

Services Escalate Exe Help

To successfully implement this search, you will need to ensure that DNS data is populating the Network_Resolution data model.

   Search

Open in Search