Unusual Windows Service
A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/25"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2023/07/27"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services,
14malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique
15services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.
16"""
17false_positives = [
18 """
19 A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this
20 alert.
21 """,
22]
23from = "now-45m"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = ["v3_windows_anomalous_service"]
27name = "Unusual Windows Service"
28references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
29risk_score = 21
30rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7"
31severity = "low"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"]
33type = "machine_learning"
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1543"
39name = "Create or Modify System Process"
40reference = "https://attack.mitre.org/techniques/T1543/"
41
42
43 [[rule.threat.technique.subtechnique]]
44 id = "T1543.003"
45 name = "Windows Service"
46 reference = "https://attack.mitre.org/techniques/T1543/003/"
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Unusual Process For a Windows Host
- Unusual Windows Path Activity
- Anomalous Process For a Linux Population