Thursday, October 24, 2013

Daily Blog #123: Svchost Persistance Question Answered

Hello Reader,
            After getting our stock XP VM license up and activated I did some testing today with the svchost key found here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost The purpose of my testing was to determine what would be required to enable persistence using the Service Host facility. This came about after this weeks Sunday Funday answer and Harlan Carvey's follow on question. After doing my testing this is what I can say.

1. The svchost key determines grouping for which services will run under which svchost process, but it does not attempt to call out to the path for any executable. Instead svchost is looking into the services key found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to find the information needed to find and execute the service. 

Result: Svchost on its own is not a persistence mechanism

2. You cannot create just a stub service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and expect it to run from svchost. The service must be correctly registered and seen by services in order for svchost to execute it. 

Result: Currently I do not see a way to half create an executable service that will not be listed in services, this requires more testing to find what the criteria is for a executable service.

3. You cannot append a ; to the ImagePath key and get a second command to execute, for instance I appended the following: ; %SystemRoot%\system32\test.bat to the ImagePath value for DHCP found in the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\ImagePath which was only met with a service that failed to start.

Result: Currently I do not see a way to load a second program within a legitimate service stub, this also needs further test

So there you are, I am going to play with this a bit more and bad guys can still use the method Harlan Carvey documented on the secure works blog to hide as a legit service. Otherwise my testing just lead to execution failures and dead ends, which is good for the analyst! 

Did you find something different? Leave a comment or email me dcowen@g-cpartners.com