Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW() (or manually via functions such as ZwLoadDriver() and ZwSetValueKey()), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of Exploitation for Privilege Escalation.(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution.
To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create ‘hidden’ services (i.e., Hide Artifacts), for example by using the sc sdset command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as Get-Service, sc query, and services.exe.(Citation: SANS 1)(Citation: SANS 2)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-vt | Intel Virtualization Technology | Win 11, HWESP | T1543.003 | Windows Service |
Comments
Windows Kernel Data Protection uses VBS (Intel PTT, Intel VT-x, Intel VT-d, Intel VT-rp, and Intel BootGuard) to protect kernel data, kernel data structures, and OS drivers from tampering attacks.
With KDP, software running in kernel-mode can protect read-only memory statically (a section of its own image) or dynamically (pool memory that can be initialized only once). KDP only establishes write protections in VTL1 for the GPAs backing a protected memory region using the SLAT page tables for the hypervisor to enforce. This way, no software running in the NT kernel (VTL0) can have the permissions needed to change the memory. The goal of using KDP is to protect internal policy state after it has been initialized (i.e., read from the registry or generated at boot time). These data structures are critical to protect as if they are tampered with a driver that is properly signed but vulnerable could attack the policy data structures and then install an unsigned driver on the system. With KDP, this attack is mitigated by ensuring the policy data structures cannot be tampered with. The score of significant highlights this real-time protection of the kernel data, data structures, and drivers from tampering attacks.
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both.
HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections.
Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries".
Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...".
Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)."
Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)."
Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
The Vulnerable Driver Blocklist uses Virtualization Based Security (VBS) Memory Integrity feature or HVCI, which in turn rely on Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to create an isolated virtual environment for the kernel such that attacks from vulnerable drivers are prevented. It uses a deny list approach along with code signing checks to ensure vulnerable drivers are not modified and to prevent attacks against them.
"... the vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active."
"The blocklist is updated with each new major release of Windows, typically 1-2 times per year..."
"Memory integrity and virtualization-based security (VBS) improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS."
References
|
| intel-vt | Intel Virtualization Technology | Win 11, KDP | T1543.003 | Windows Service |
Comments
Windows Kernel Data Protection uses VBS (Intel PTT, Intel VT-x, Intel VT-d, Intel VT-rp, and Intel BootGuard) to protect kernel data, kernel data structures, and OS drivers from tampering attacks.
With KDP, software running in kernel-mode can protect read-only memory statically (a section of its own image) or dynamically (pool memory that can be initialized only once). KDP only establishes write protections in VTL1 for the GPAs backing a protected memory region using the SLAT page tables for the hypervisor to enforce. This way, no software running in the NT kernel (VTL0) can have the permissions needed to change the memory. The goal of using KDP is to protect internal policy state after it has been initialized (i.e., read from the registry or generated at boot time). These data structures are critical to protect as if they are tampered with a driver that is properly signed but vulnerable could attack the policy data structures and then install an unsigned driver on the system. With KDP, this attack is mitigated by ensuring the policy data structures cannot be tampered with. The score of significant highlights this real-time protection of the kernel data, data structures, and drivers from tampering attacks.
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both.
HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections.
Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries".
Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...".
Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)."
Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)."
Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
The Vulnerable Driver Blocklist uses Virtualization Based Security (VBS) Memory Integrity feature or HVCI, which in turn rely on Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to create an isolated virtual environment for the kernel such that attacks from vulnerable drivers are prevented. It uses a deny list approach along with code signing checks to ensure vulnerable drivers are not modified and to prevent attacks against them.
"... the vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active."
"The blocklist is updated with each new major release of Windows, typically 1-2 times per year..."
"Memory integrity and virtualization-based security (VBS) improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS."
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1543.003 | Windows Service |
Comments
Intel Threat Detection Technology (TDT) and CrowdStrike Falcon Accelerated Memory Scanning (CAMS): Defending Against Windows Services Abuse
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Advanced Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Windows Services abuse. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Windows Services abuse involves adversaries leveraging Windows services to maintain persistence, escalate privileges, or execute malicious code without detection. Attackers may exploit vulnerabilities in system services or misconfigurations to inject malicious code, modify service configurations, or elevate privileges. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing the detection of abnormal behaviors that could indicate misuse of Windows services for malicious purposes.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster, more efficient detection of malicious activity without impacting system performance. CAMS helps identify suspicious behaviors, such as unauthorized service modifications, service injection attempts, or privilege escalation via Windows services, providing proactive defense against these evasive techniques used by attackers to compromise critical systems.
References
|