Recover is a new tool.It provides red teamers with a cunning method to move sideways in networks while maintaining their resolve This article explores recovery feature attackers. . It circumvents popular detection tools that keep an eye out for newly installed services or altered file paths by abusing Windows' built-in service recovery feature.

Attackers have long created or modified Windows services to run malware using programs like PsExec and Impacket. However, these techniques are noisy. Defenders keep a close eye on the file that a service uses, known as the "ImagePath." Endpoint detection tools (EDR) quickly identify it if it indicates the presence of something suspicious, such as C:\Temp\malware.exe.

Even DLL hijacking is becoming more difficult to conceal. To address this, security researcher TwoSevenOneT developed RecoverIt. It targets the "Recovery" settings in a service's properties rather than the actual ImagePath.

Failure recovery options are available for Windows services. A service may restart or launch a custom program in the event of a crash. Get betterWhen disabled, it detects services that crash frequently, such as UevAgentService.

The recovery is then configured to execute a malicious command, like a reverse shell. The procedures are simple: Select a service that crashes frequently. Configure recovery to run your payload. When you start the service, it crashes and stops working.Your code is executed as "recovery" by exe.

Like conventional techniques, this operates with SYSTEM privileges but remains covert. There are no new services or problematic ImagePaths to report. The data from the Windows Event Traditional vs. RecoverIt Comparison Feature: Traditional Service Abuse (PsExec, Impacket) Abuse of Service Recovery (RecoverIt) Execution Vector Makes use of the "Failure Recovery" action of the current service. makes use of the "Failure Recovery" action of the current service.

Status of ImagePath changed to a suspicious binary (C:\Temp\malware.exe, for example). The legitimate file (such as svchost.exe) is indicated by untouchable. Trigger Mechanism Service starts (payload starts immediately).

The payload continues to run after the service crash. Level of Stealth Low-medium; EDRs keep a close eye on it. High; omits creation monitors and ImagePath. SYSTEM.

Privileges SYSTEM (through services.exe). Principal Artifacts registry modifications, disk binary, and new service logs. crash event logs and a failureCommand registry change. A quick look reveals a typical executable signed by Microsoft.

The rarely used FailureCommand conceals the trick. Keep an eye on any changes to service recovery, particularly strange commands in the FailureCommand or FailureActions registry keys. After services, keep an eye on Event IDs 7024 and 7031 (service crashes/terminations).processes that exe spawn. These can be logged with the aid of tools like Sysmon.

Get betterIt indicates that attackers are becoming more cunning. To stay ahead, defenders need to keep an eye on recovery configurations.