The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Stealthier persistence using new services purposely vulnerable to path interception

Description: Identify all services running on your machines 

What The Data Shows: Unquoted Service Paths is a widely known technique to perform privilege escalation on Windows machines – but one can also leveraged it to establish stealthy persistence by creating new services purposely vulnerable to this flaw. Look for least prevalent services to see what they are doing on machines and if they are legitimate or not. See this article for more information: https://blog.christophetd.fr/stealthier-persistence-using-new-services-purposely-vulnerable-to-path-...

SQL: 

SELECT name, path FROM services WHERE path LIKE "% %" AND path LIKE "%.exe";

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved