Remote Windows Service Installed

  1[metadata]
  2creation_date = "2022/08/30"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/21"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral
 13movement, but will be noisy if commonly done by administrators."
 14"""
 15from = "now-9m"
 16index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Remote Windows Service Installed"
 20risk_score = 47
 21rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Lateral Movement",
 28    "Tactic: Persistence",
 29    "Data Source: Windows Security Event Logs",
 30    "Resources: Investigation Guide",
 31]
 32type = "eql"
 33
 34query = '''
 35sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
 36[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
 37event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
 38[iam where event.action == "service-installed" and
 39 not winlog.event_data.SubjectLogonId : "0x3e7" and
 40 not winlog.event_data.ServiceFileName :
 41               ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
 42                "?:\\Windows\\System32\\VSSVC.exe",
 43                "?:\\Windows\\servicing\\TrustedInstaller.exe",
 44                "?:\\Windows\\System32\\svchost.exe",
 45                "?:\\Program Files (x86)\\*.exe",
 46                "?:\\Program Files\\*.exe",
 47                "?:\\Windows\\PSEXESVC.EXE",
 48                "?:\\Windows\\System32\\sppsvc.exe",
 49                "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
 50                "?:\\WINDOWS\\RemoteAuditService.exe",
 51                "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
 52                "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
 53                "?:\\Windows\\CAInvokerService.exe",
 54                "?:\\Windows\\System32\\upfc.exe",
 55                "?:\\Windows\\AdminArsenal\\PDQ*.exe",
 56                "?:\\Windows\\System32\\vds.exe",
 57                "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
 58                "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
 59                "?:\\Windows\\System32\\certsrv.exe",
 60                "?:\\Windows\\eset-remote-install-service.exe",
 61                "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
 62                "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
 63                "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
 64                "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
 65                "?:\\Windows\\System32\\taskhostex.exe")]
 66'''
 67note = """## Triage and analysis
 68
 69> **Disclaimer**:
 70> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 71
 72### Investigating Remote Windows Service Installed
 73
 74Windows services are crucial for running background processes. Adversaries exploit this by installing services remotely to maintain persistence or move laterally within a network. The detection rule identifies suspicious service installations following a network logon, excluding known legitimate services, to flag potential unauthorized activities. This helps in identifying and mitigating threats early.
 75
 76### Possible investigation steps
 77
 78- Review the source IP address from the authentication event to determine if it is from a known or trusted network segment. Investigate any unfamiliar or suspicious IP addresses.
 79- Check the winlog.logon.id to correlate the logon session with the service installation event, ensuring they are part of the same session.
 80- Investigate the user account associated with the logon session to determine if the activity aligns with their typical behavior or role within the organization.
 81- Examine the service file path from the service-installed event to identify if it is a known or legitimate application. Pay special attention to any paths not excluded in the query.
 82- Look into the history of the computer where the service was installed (winlog.computer_name) for any previous suspicious activities or alerts.
 83- Assess the timing and frequency of similar events to determine if this is an isolated incident or part of a broader pattern of suspicious behavior.
 84
 85### False positive analysis
 86
 87- Administrative activities can trigger false positives when administrators frequently install or update services remotely. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff.
 88- Legitimate software installations or updates may appear as suspicious service installations. Maintain an updated list of authorized software paths and exclude these from the detection rule.
 89- Automated deployment tools like PDQ Deploy or Veeam Backup can cause false positives. Identify and exclude the service paths associated with these tools to reduce noise.
 90- Scheduled tasks that install or update services as part of routine maintenance can be mistaken for threats. Document and exclude these tasks from the rule to prevent unnecessary alerts.
 91- Internal security tools that perform regular checks or updates may also trigger alerts. Ensure these tools are recognized and their service paths are excluded from the detection criteria.
 92
 93### Response and remediation
 94
 95- Isolate the affected system from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools.
 96- Terminate any unauthorized services identified by the alert to stop any malicious processes from running. Use task management tools or command-line utilities to stop and disable these services.
 97- Conduct a thorough review of recent logon events and service installations on the affected system to identify any additional unauthorized activities or compromised accounts.
 98- Change passwords for any accounts that were used in the unauthorized service installation, especially if they have administrative privileges, to prevent further unauthorized access.
 99- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected that cannot be easily remediated.
100- Implement network monitoring and alerting for similar suspicious activities, such as unexpected service installations or network logons, to enhance detection and response capabilities.
101- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or accounts have been compromised."""
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1021"
108name = "Remote Services"
109reference = "https://attack.mitre.org/techniques/T1021/"
110
111
112[rule.threat.tactic]
113id = "TA0008"
114name = "Lateral Movement"
115reference = "https://attack.mitre.org/tactics/TA0008/"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1543"
120name = "Create or Modify System Process"
121reference = "https://attack.mitre.org/techniques/T1543/"
122[[rule.threat.technique.subtechnique]]
123id = "T1543.003"
124name = "Windows Service"
125reference = "https://attack.mitre.org/techniques/T1543/003/"
126
127
128
129[rule.threat.tactic]
130id = "TA0003"
131name = "Persistence"
132reference = "https://attack.mitre.org/tactics/TA0003/"