060. Detecting System Registry Abuse for Installing Sagerunex Backdoor as a Service
Hello everyone! Abusing Windows services is a very common persistence technique. Usually adversaries just create a new service, but in some cases they may also modify existing services! Let's look at such example.
Cisco Talos presented a report on an espionage activity cluster they track as Lotus Blossom. The threat actors leverage reg.exe to modify registry keys related to services and enable persistence of Sagerunex backdoor:
reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\tapisrv.dll /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv /v Start /t REG_DWORD /d 2 /f
An easy way to hunt for such activity is to search for "ServiceDll" among reg.exe command line parameters:
event_type:"processcreate"
AND
proc_file_name: "reg.exe"
AND
cmdline: "ServiceDll"
Depending on your telemetry, you can also search for "ServiceDll" value modification events as well!
Have a great weekend!
See you tomorrow!
Comments
Post a Comment