A new offensive security tool named “RecoverIt” has been released, offering red teamers a stealthy method for lateral movement and persistence by abusing the Windows Service recovery mechanism.
The tool circumvents traditional detection methods that focus on monitoring service creation and binary paths.
For years, attackers have moved laterally across networks by creating or modifying Windows services to run malicious code.
Tools like PsExec and Impacket rely on this technique, but it has a major flaw: noise. Defenders heavily monitor the ImagePath, the specific file path a service executes when it starts.
When an attacker changes a service’s ImagePath to point to a malware file (e.g., C:Tempmalware.exe), Endpoint Detection and Response (EDR) systems often flag it immediately.
Even techniques like DLL hijacking have become harder to hide as security teams scrutinize service configurations more closely.
How “RecoverIt” Works
Developed by security researcher TwoSevenOneT, the “RecoverIt” tool introduces a novel workaround by leaving the legitimate ImagePath completely untouched.
Instead, it weaponizes the Recovery tab in Windows Services properties.
Windows services have a built-in “failure recovery” feature that helps administrators manage crashes.
If a service fails, Windows can be configured to automatically restart it or, crucially, run a specific program.
“RecoverIt” automates the process of finding a service that naturally crashes, such as the UevAgentService when disabled, and modifying its recovery logic.
The attack flow is simple but effective:
- Identify a Target: The tool identifies a service that is prone to crashing or can be forced to crash.
- Modify Recovery Actions: It configures the service to execute a malicious command (like a reverse shell) whenever a failure occurs.
- Trigger the Crash: The attacker starts the service. It runs, crashes as expected, and the Windows Service Control Manager (SCM) automatically executes the payload as a “recovery” action.
This technique is dangerous because it bypasses the primary indicator of compromise (IOC) for services, the ImagePath.
Comparison: Traditional vs. Service Recovery Abuse
| Feature | Traditional Service Abuse (e.g., PsExec, Impacket) | Service Recovery Abuse (RecoverIt) |
|---|---|---|
| Execution Vector | Creates or modifies a service to run a payload directly. | Exploits the “Failure Recovery” action of an existing service. |
| ImagePath Status | Modified / Malicious. Points to a suspicious binary (e.g., C:Tempmalware.exe) or uses a hijacked DLL. | Legitimate / Untouched. Points to a valid, signed Windows executable (e.g., C:WindowsSystem32svchost.exe). |
| Trigger Mechanism | Service Start (payload runs immediately). | Service Crash (payload runs as a recovery action after the service fails). |
| Stealth Level | Low to Medium. Highly monitored by EDRs and Sysmon. | High. Bypasses standard ImagePath and service creation monitoring rules. |
| Privileges | typically SYSTEM (inherited from the service). | SYSTEM (executed by services.exe upon failure). |
| Primary Artifacts | New service creation logs, binary on disk, registry ImagePath changes. | FailureCommand registry key modification, Event Logs for service crashes. |
A security analyst looking at the service would see a valid, signed Microsoft executable in the file path, potentially marking it as safe.
The malicious activity is hidden in the FailureCommand configuration, which is rarely audited during standard checks.
Detection and Mitigation
To detect this activity, security teams must expand their monitoring beyond standard service creation logs.
Defenders should alert on changes to service recovery settings, specifically looking for unusual commands in the FailureCommand and FailureActions registry values.
Additionally, monitoring Windows Event Logs can reveal this behavior.
High volumes of Event ID 7024 and 7031 (service termination and crash events), followed by immediate process execution by services.exe, can indicate an active attempt to exploit this recovery feature.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
