Persistence with Windows Service Controller (SC)

Good afternoon.

When creating a service, once the service executes, it runs with SYSTEM privileges by default. This is why administrators must be careful when configuring access control permissions for a service.

Services configured to run via SC command on Windows die after 30 seconds if they are not properly written and often run with default settings.

In Windows, the SYSTEM account is similar to, but not identical to, the root account on Linux. It is a service account used by the Service Control Manager (SCM) and it is the highest privilege level in Windows. Under the user model, it is still restricted, but attackers may use this privilege to compromise the system.

SC calls the SCM API with SYSTEM privileges, so it configures the service directly without any restrictions.

The SCM maintains a database of installed and configured services and the status of all services.

So, what happens if a service starts but fails to properly report its status to the Service Control Manager (SCM)?

It will automatically die.

In our example, we can first download the .exe file using Python. Then, we can

use the command prompt as administrator to create the service with the default settings. After that, we can use the k option, which executes the cmd

and keeps it running.

This is the basic mechanism that the Anchor malware uses to spread by creating a new service.

Resources:

https://attack.mitre.org/techniques/T1543/003/ MITRE ATT&CK

https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware analyzing anchor malwary

https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/windows-trace-session-manager-service-not-start-event-id-7000 default time of service