060. Detecting System Registry Abuse for Installing Sagerunex Backdoor as a Service

Hello everyone! Abusing Windows services is a very common persistence technique. Usually adversaries just create a new service, but in some cases they may also modify existing services! Let's look at such example.


Cisco Talos presented a report on an espionage activity cluster they track as Lotus Blossom. The threat actors leverage reg.exe to modify registry keys related to services and enable persistence of Sagerunex backdoor:

reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\tapisrv.dll /f 

reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv /v Start /t REG_DWORD /d 2 /f 

An easy way to hunt for such activity is to search for "ServiceDll" among reg.exe command line parameters:

event_type:"processcreate"

AND

proc_file_name: "reg.exe"

AND

cmdline: "ServiceDll"

Depending on your telemetry, you can also search for "ServiceDll" value modification events as well!

Have a great weekend!

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access