060. Detecting System Registry Abuse for Installing Sagerunex Backdoor as a Service

Hello everyone! Abusing Windows services is a very common persistence technique. Usually adversaries just create a new service, but in some cases they may also modify existing services! Let's look at such example.


Cisco Talos presented a report on an espionage activity cluster they track as Lotus Blossom. The threat actors leverage reg.exe to modify registry keys related to services and enable persistence of Sagerunex backdoor:

reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\tapisrv.dll /f 

reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv /v Start /t REG_DWORD /d 2 /f 

An easy way to hunt for such activity is to search for "ServiceDll" among reg.exe command line parameters:

event_type:"processcreate"

AND

proc_file_name: "reg.exe"

AND

cmdline: "ServiceDll"

Depending on your telemetry, you can also search for "ServiceDll" value modification events as well!

Have a great weekend!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!