Unusual Windows Service

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services,
14malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique
15services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.
16"""
17false_positives = [
18    """
19    A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
20    alert.
21    """,
22]
23from = "now-45m"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = ["v3_windows_anomalous_service"]
27name = "Unusual Windows Service"
28references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
29risk_score = 21
30rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
31severity = "low"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"]
33type = "machine_learning"
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1543"
39name = "Create or Modify System Process"
40reference = "https://attack.mitre.org/techniques/T1543/"
41
42
43    [[rule.threat.technique.subtechnique]]
44    id = "T1543.003"
45    name = "Windows Service"
46    reference = "https://attack.mitre.org/techniques/T1543/003/"
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"