Remote Windows Service Installed
Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/30"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral
13movement, but will be noisy if commonly done by administrators."
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Remote Windows Service Installed"
20risk_score = 47
21rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"]
24type = "eql"
25
26query = '''
27sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
28[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
29event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
30[iam where event.action == "service-installed" and
31 not winlog.event_data.SubjectLogonId : "0x3e7" and
32 not winlog.event_data.ServiceFileName :
33 ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
34 "?:\\Windows\\System32\\VSSVC.exe",
35 "?:\\Windows\\servicing\\TrustedInstaller.exe",
36 "?:\\Windows\\System32\\svchost.exe",
37 "?:\\Program Files (x86)\\*.exe",
38 "?:\\Program Files\\*.exe",
39 "?:\\Windows\\PSEXESVC.EXE",
40 "?:\\Windows\\System32\\sppsvc.exe",
41 "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
42 "?:\\WINDOWS\\RemoteAuditService.exe",
43 "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
44 "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
45 "?:\\Windows\\CAInvokerService.exe",
46 "?:\\Windows\\System32\\upfc.exe",
47 "?:\\Windows\\AdminArsenal\\PDQ*.exe",
48 "?:\\Windows\\System32\\vds.exe",
49 "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
50 "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
51 "?:\\Windows\\System32\\certsrv.exe",
52 "?:\\Windows\\eset-remote-install-service.exe",
53 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
54 "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
55 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
56 "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
57 "?:\\Windows\\System32\\taskhostex.exe")]
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1021"
65name = "Remote Services"
66reference = "https://attack.mitre.org/techniques/T1021/"
67
68
69[rule.threat.tactic]
70id = "TA0008"
71name = "Lateral Movement"
72reference = "https://attack.mitre.org/tactics/TA0008/"
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1543"
77name = "Create or Modify System Process"
78reference = "https://attack.mitre.org/techniques/T1543/"
79[[rule.threat.technique.subtechnique]]
80id = "T1543.003"
81name = "Windows Service"
82reference = "https://attack.mitre.org/techniques/T1543/003/"
83
84
85
86[rule.threat.tactic]
87id = "TA0003"
88name = "Persistence"
89reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Windows User Account Creation
- SSH Authorized Keys File Modified Inside a Container
- SSH Process Launched From Inside A Container
- Service Creation via Local Kerberos Authentication
- SSH Connection Established Inside A Running Container