#2 - Writing to svcctl
Question:
You’re looking at a machine while an actor is active. You see an SMB connection to the following path:
\\remoteMachine\IPC$\svcctl
What is the actor trying to do?
Bonus Question
You look at remoteMachine and all event logs have been cleared except for Microsoft-Windows-RPC. You find the following events of interest. All events are Event ID: 6.
Server RPC call started.
InterfaceUuid: {367abb81-9844-35f1-ad32-98f038001003}
OpNum: 0xF
Protocol: TCP
Endpoint \pipe\ntsvcsServer RPC call started.
InterfaceUuid: {367abb81-9844-35f1-ad32-98f038001003}
OpNum: 0xC
Protocol: TCP
Endpoint \pipe\ntsvcsServer RPC call started.
InterfaceUuid: {367abb81-9844-35f1-ad32-98f038001003}
OpNum: 0x1F
Protocol: TCP
Endpoint \pipe\ntsvcsServer RPC call started.
InterfaceUuid: {367abb81-9844-35f1-ad32-98f038001003}
OpNum: 0x2
Protocol: TCP
Endpoint \pipe\ntsvcs
What can this tell us about the actors activity?
Answer:
The IPC$ share is used for remotely writing to Named Pipes. The svcctl Named Pipe is most commonly used for creating services, although there are a few pipes that can do that.
The actor may have been trying to create a service on remoteMachine.
This technique is used by a bunch of tools, most commonly PSExec. PSExec will first copy a binary to the ADMIN$ share, then write to the IPC$ share to create a service to execute the copied binary.
Bonus Question
These events show us four RPC calls to the ntsvcs pipe. Looking at the Service Control Manager Protocol Section 3.1.4, we can see that the four op codes stand for:
- Service Control Manager Opened
- Service Created
- Service Started
- Service Deleted
Link: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f?redirectedfrom=MSDN
