Remote Windows Service Installed
Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/08/30"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral
11movement, but will be noisy if commonly done by administrators."
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Remote Windows Service Installed"
18risk_score = 47
19rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1"
20severity = "medium"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Lateral Movement",
26 "Tactic: Persistence",
27]
28type = "eql"
29
30query = '''
31sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
32[authentication where event.action == "logged-in" and winlog.logon.type : "Network" and
33event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
34[iam where event.action == "service-installed" and
35 not winlog.event_data.SubjectLogonId : "0x3e7" and
36 not winlog.event_data.ServiceFileName :
37 ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
38 "?:\\Windows\\System32\\VSSVC.exe",
39 "?:\\Windows\\servicing\\TrustedInstaller.exe",
40 "?:\\Windows\\System32\\svchost.exe",
41 "?:\\Program Files (x86)\\*.exe",
42 "?:\\Program Files\\*.exe",
43 "?:\\Windows\\PSEXESVC.EXE",
44 "?:\\Windows\\System32\\sppsvc.exe",
45 "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
46 "?:\\WINDOWS\\RemoteAuditService.exe",
47 "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
48 "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
49 "?:\\Windows\\CAInvokerService.exe",
50 "?:\\Windows\\System32\\upfc.exe",
51 "?:\\Windows\\AdminArsenal\\PDQ*.exe",
52 "?:\\Windows\\System32\\vds.exe",
53 "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
54 "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
55 "?:\\Windows\\System32\\certsrv.exe",
56 "?:\\Windows\\eset-remote-install-service.exe",
57 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
58 "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
59 "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
60 "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
61 "?:\\Windows\\System32\\taskhostex.exe")]
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1021"
69name = "Remote Services"
70reference = "https://attack.mitre.org/techniques/T1021/"
71
72
73[rule.threat.tactic]
74id = "TA0008"
75name = "Lateral Movement"
76reference = "https://attack.mitre.org/tactics/TA0008/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1543"
81name = "Create or Modify System Process"
82reference = "https://attack.mitre.org/techniques/T1543/"
83[[rule.threat.technique.subtechnique]]
84id = "T1543.003"
85name = "Windows Service"
86reference = "https://attack.mitre.org/techniques/T1543/003/"
87
88
89
90[rule.threat.tactic]
91id = "TA0003"
92name = "Persistence"
93reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- A scheduled task was created
- A scheduled task was updated
- Account Configured with Never-Expiring Password
- Account Password Reset Remotely
- Adding Hidden File Attribute via Attrib