threat-analysis

Let’s do a deeper dive into the nuances of service hijacking  – specifically the two primary variations of the technique and practical insights on how to detect them. The aim here is to equip you with the knowledge needed to identify these stealthy attacks and fortify your defenses. Awareness and knowledge are the first steps in prevention and mitigation. By understanding how service hijacking works, and how to detect it, you can better protect your networks and data. 

Potentially Dangerous Blind Spots

Security professionals are familiar with the idea of malicious actors creating new services on a compromised machine as a means of establishing persistence. This method, while effective, can be easily detected by vigilant monitoring for new or nonstandard service names. In recent years, we’ve seen an uptick in a more subtle strategy – the hijacking of existing services. With a plethora of unused or disabled services on most machines, threat actors find fertile ground in which to embed their activities without triggering the alarm bells that a newly minted service might. This means that a sole focus on spotting nonstandard service names can lead to dangerous blind spots.

Let’s unpack the two main variants of service hijacking: repurposing an existing service and using a legitimate service as a host for a malicious one.

Repurposing an Existing Service

In this approach, threat actors modify an existing service’s configurations so that it executes malicious payloads instead of its intended function. The service continues to operate under its original name, making it blend seamlessly with the machine’s legitimate activities. The attackers are essentially hiding in plain sight, using the service’s perceived legitimacy as a protective shield against detection.

Detecting this type of hijacking can be challenging. It necessitates a deep understanding of the baseline behavior of the services on your network. This includes knowing what each service is supposed to do, the resources it should access, and the network connections it should make. Regular auditing of service configurations and monitoring for changes help us spot alterations that might indicate a hijacking. Additionally, utilizing a file integrity monitoring tool can alert us to unauthorized modifications to service files.

Let’s Look at an example of threat actors exploiting an existing, legitimate service by altering its configuration, making it execute their malicious code instead of, or in addition to, its original function.

Consider a Windows machine with a myriad of services running in the background, many of which the typical user might not be aware. One such service could be the “Windows Update” service, also known as `wuauserv.` This service is responsible for enabling the installation of Windows updates.

An attacker who gains access to the system could change the “ImagePath” of the Windows Update service in the Windows Registry, which determines what executable the service launches. This is typically located at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv.`

If the attacker changes the “ImagePath” from its normal value to point to their malicious executable, the next time the Windows Update service runs, it will launch the attacker’s code. From a monitoring standpoint, it would appear as if the legitimate Windows Update service is running, making the malicious activity blend into the background noise.

To detect such a modification, security teams should regularly audit their service configurations and monitor for changes. Tools that perform file integrity monitoring can help detect unauthorized changes to service files. Event logs can also provide valuable information. In our example, Windows Event ID 7045 (a service was installed in the system) can be monitored for new or modified services.

This example demonstrates the stealth and sophistication of service hijacking. It emphasizes the importance of not only monitoring for new or nonstandard services but also keeping a vigilant eye on changes to existing ones. In the fast-paced world of cybersecurity, understanding these nuances and staying a step ahead of the threat actors is crucial for maintaining a robust defense.

Using a Legitimate Service as a Host

The second method involves using a legitimate service as a host for a malicious one. Attackers inject malicious code into the service process, effectively transforming it into a vehicle for their nefarious activities. The service retains its original function, making this type of service hijacking even harder to detect.

To identify this, we look for anomalous behavior in the service. This could be unusual CPU usage, unexpected network connections, or the service accessing files and directories it normally wouldn’t. Memory analysis can also be used to find the injected code, but this requires a more advanced skill set. In this form of service hijacking, rather than changing the configuration of an existing service, the attacker injects malicious code into the process space of a running service. 

Let’s look at an example of this technique, also known as process hollowing or process injection, where the `svchost.exe` process on a Windows machine is a common target.

`svchost.exe` is a generic host process name for services that run from dynamic-link libraries (DLLs), and it’s not uncommon to find multiple instances of `svchost.exe` running at any given time. This makes it an ideal candidate for an attacker seeking to blend in with legitimate system activities. The attacker might use a technique like DLL injection, where they force `svchost.exe` to load a malicious DLL. The code in this DLL could perform a variety of tasks, from keylogging, to establishing a reverse shell for the attacker.

From the system’s point of view, it just looks like `svchost.exe` is running as usual. However, underneath the surface, the service is hosting malicious activities.

As noted above, detection of this type of service hijacking is challenging and requires looking for anomalous behavior. This could include unexpected network connections from `svchost.exe,` unusual CPU usage, or the service accessing files and directories it normally wouldn’t. Sophisticated detection mechanisms like memory forensics can also be useful. Specific tools can help identify injected code in a process’ memory space.

Using a legitimate service as a host for malicious activities is a stealthy technique that threat actors employ. It highlights the importance of comprehensive monitoring and a deep understanding of normal service behavior in order to spot anomalies indicative of a compromise. Recognizing these tactics and knowing how to detect them are key skills in the modern landscape of cybersecurity.

Deeper Security Brings Peace of Mind

Both variants of service hijacking underscore the necessity for comprehensive monitoring and analysis. Simply relying on identifying unrecognized services is insufficient. It is paramount to build robust baseline knowledge of your network’s normal behavior and use that information to spot anomalies. Furthermore, regular audits of service configurations and the use of advanced detection techniques like memory analysis can significantly enhance your ability to detect service hijacking.

DeepSeas MDR+ for OT, IT, mobile and cloud is a comprehensive Managed Detection & Response solution designed to protect businesses from sophisticated cyber threats – offering peace of mind through 24/7 protection, fast and complete threat response, and a way to optimize existing security investments.

Remember, your adversaries may be relentless, but with the right knowledge and tools, so are you.

This beginner’s guide to nuances of service hijacking was written by a valued member of our DeepSeas crew, Luis M Ponce De Leon, CISSP, CCSP, GRID