Remote Windows Service Installed
Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/30"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral
13movement, but will be noisy if commonly done by administrators."
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Remote Windows Service Installed"
20risk_score = 47
21rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Lateral Movement",
28 "Tactic: Persistence",
29 "Data Source: System",
30]
31type = "eql"
32
33query = '''
34sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
35[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
36event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
37[iam where event.action == "service-installed" and
38 not winlog.event_data.SubjectLogonId : "0x3e7" and
39 not winlog.event_data.ServiceFileName :
40 ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
41 "?:\\Windows\\System32\\VSSVC.exe",
42 "?:\\Windows\\servicing\\TrustedInstaller.exe",
43 "?:\\Windows\\System32\\svchost.exe",
44 "?:\\Program Files (x86)\\*.exe",
45 "?:\\Program Files\\*.exe",
46 "?:\\Windows\\PSEXESVC.EXE",
47 "?:\\Windows\\System32\\sppsvc.exe",
48 "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
49 "?:\\WINDOWS\\RemoteAuditService.exe",
50 "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
51 "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
52 "?:\\Windows\\CAInvokerService.exe",
53 "?:\\Windows\\System32\\upfc.exe",
54 "?:\\Windows\\AdminArsenal\\PDQ*.exe",
55 "?:\\Windows\\System32\\vds.exe",
56 "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
57 "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
58 "?:\\Windows\\System32\\certsrv.exe",
59 "?:\\Windows\\eset-remote-install-service.exe",
60 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
61 "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
62 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
63 "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
64 "?:\\Windows\\System32\\taskhostex.exe")]
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1021"
72name = "Remote Services"
73reference = "https://attack.mitre.org/techniques/T1021/"
74
75
76[rule.threat.tactic]
77id = "TA0008"
78name = "Lateral Movement"
79reference = "https://attack.mitre.org/tactics/TA0008/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1543"
84name = "Create or Modify System Process"
85reference = "https://attack.mitre.org/techniques/T1543/"
86[[rule.threat.technique.subtechnique]]
87id = "T1543.003"
88name = "Windows Service"
89reference = "https://attack.mitre.org/techniques/T1543/003/"
90
91
92
93[rule.threat.tactic]
94id = "TA0003"
95name = "Persistence"
96reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- A scheduled task was created
- A scheduled task was updated
- Account Password Reset Remotely
- Active Directory Group Modification by SYSTEM
- AdminSDHolder SDProp Exclusion Added