A new open-source offensive security tool named \u201cRecoverIt\u201d has been released, offering Red Teamers and penetration testers<\/a> a novel method for establishing persistence and executing lateral movement on compromised Windows systems.<\/p>\n The tool, developed by security researcher TwoSevenOneT, weaponizes the built-in failure recovery mechanism of Windows Services to trigger arbitrary code execution, bypassing some of the most common detection heuristics used by Endpoint Detection and Response (EDR) systems<\/a>.<\/p>\n Windows Services are designed with resilience in mind. The Service Control Manager (SCM) includes a \u201cRecovery\u201d tab for each service, allowing system administrators to define specific actions if a service fails unexpectedly.<\/p>\n These actions typically include restarting the service, restarting the computer, or, most critically for this exploit, running a specific program.<\/p>\n RecoverIt abuses this functionality by programmatically modifying a service\u2019s configuration to execute a malicious payload instead of a legitimate recovery tool.<\/p>\n The tool operates by taking three simple arguments: the target service name, the program to execute upon failure, and the parameters for that program.<\/p>\n In the documentation accompanying the release, the security researcher TwoSevenOneT highlights<\/a> a specific scenario involving the \u201cUevAgentService\u201d (User Experience Virtualization Agent).<\/p>\n Research revealed that this service is prone to crashing immediately upon execution if the broader UE-V service is disabled on the host machine.<\/p>\n By targeting an unstable service like UevAgentService, an attacker can create a reliable trigger mechanism. The attacker uses RecoverIt to configure the service so that when the inevitable crash occurs, the Windows Service Control Manager ( Because the execution is spawned directly by The release of RecoverIt highlights<\/a> a shift in evasion tactics. Traditionally, attackers seeking persistence via Windows Services have focused on modifying the However, because this is a well-known attack vector, SysAdmins and EDR solutions<\/a> now monitor it RecoverIt circumvents this scrutiny entirely. It leaves the legitimate While the execution method is stealthy, it is not invisible. The primary challenge for defenders is that the malicious payload execution is not explicitly detailed in the standard service crash event logs.<\/p>\n As shown in the researcher\u2019s findings, the Windows Event Log records service failures<\/a> (e.g., UevAgentService terminating unexpectedly) but does not necessarily log the\u00a0program\u00a0that the recovery handler subsequently launched\u00a0in the same event entry.<\/p>\n To detect this technique, security teams must broaden their monitoring scope. Detection logic should be updated to alert on changes to service recovery configurations, specifically monitoring for modifications to Furthermore, process monitoring should scrutinize child processes spawned by The release of RecoverIt serves as a reminder that legitimate system administration features often provide the most effective camouflage for attackers, necessitating a defense-in-depth approach that looks beyond standard indicators of compromise.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New RecoverIt Tool Exploits Windows Service Failure Recovery Functions to Execute Payload<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"RecoverIt](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEizBtP79F4JWcCqd5mvCeOYo89UswnCT_VJqeTsnx4tIgrErydnYb6mz5Qz9lKP7ECrwRoc3NlmQ2Ytz_rkZJJ6sPEyt-suZtVtxf70IBNF4lDgk3Qc0nxoMeh9kQ-0HimkdTVhCJycV8JKQVOolPHL9op2uvNVrZFYnjiOnZvxuboz_TMOqEhuifotX5Uf\/s16000\/RecoverIt%25202.webp?ssl=1\")
Windows Service Failure Recovery Functions Exploited<\/strong><\/h2>\n
services.exe<\/code>) automatically executes the defined payload such as a Command Prompt (cmd.exe<\/code>) or a Cobalt Strike beacon.<\/p>\n![\"RecoverIt](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjZ2qJ94Y2yJaVZpDeynU2MSiWK1LOCVTUCN5aV_P2_D6P8p3Dxaaq-sriskyw3GRBwr1oys3IWldE7zGLCHScV1LohzyhPpVqjoHxu1F-fNrix8lyv1iVR4izJP9yGTmqpbucee17KrxDu9ClwQ7KUk3fG9skeSjxoyDy9CID1jmAztralgCf6kMQifhu1\/s16000\/RecoverIt%25201%2520.webp?ssl=1\")
services.exe<\/code> as a recovery action, it blends in with legitimate system background activity, potentially masking the malicious intent from casual observation.<\/p>\nImagePath<\/code> (or binPath<\/code>) the registry value that tells Windows which executable to run when starting a service.<\/p>\nImagePath<\/code> extensively for unauthorized changes or suspicious binaries.<\/p>\nImagePath<\/code> untouched. Instead, it modifies the FailureCommand<\/code> and FailureActions<\/code> configurations. As noted in the tool\u2019s summary, \u201cSysAdmins tend to focus more on the ImagePath of services,\u201d leaving the recovery settings as a blind spot in many defensive postures.<\/p>\n![\"Windows](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh11EdAbbeMAk3PhyphenhyphenrOWeTs4YR_eBZmzC8378S1HvssnPN81Yc_U6PrOic8MGHoyuCn3PTcAazeDLHKYpFcyQbWIwJ8iZ2oz6WUPiDJHdMVdqrpBZTyufo_g6RNd8BykbEfrxedozKJBZxXKci71Hp5EvpgftoRa0oFJrnlhZF6AoPdtGGVACj8KfeV3CcM\/s16000\/RecoverIt%25203.webp?ssl=1\")
FailureCommand<\/code> and FailureActions<\/code> registry keys.<\/p>\nservices.exe<\/code> that correlate with service failure events, particularly if those child processes are command interpreters like PowerShell or CMD.<\/p>\n