Unusual Windows Service

A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3maturity = "production"
 4updated_date = "2023/03/06"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7
 8[rule]
 9anomaly_threshold = 50
10author = ["Elastic"]
11description = """
12A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services,
13malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique
14services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.
15"""
16false_positives = [
17    """
18    A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
19    alert.
20    """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = ["v3_windows_anomalous_service"]
26name = "Unusual Windows Service"
27references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
28risk_score = 21
29rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
30severity = "low"
31tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"]
32type = "machine_learning"
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1543"
38name = "Create or Modify System Process"
39reference = "https://attack.mitre.org/techniques/T1543/"
40
41
42    [[rule.threat.technique.subtechnique]]
43    id = "T1543.003"
44    name = "Windows Service"
45    reference = "https://attack.mitre.org/techniques/T1543/003/"
46
47
48[rule.threat.tactic]
49id = "TA0003"
50name = "Persistence"
51reference = "https://attack.mitre.org/tactics/TA0003/"

to-top