Windows Service Installed via an Unusual Client

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: System  ·
Share on: linkedin copy

Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/02/07"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator
13privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from
14administrator to SYSTEM.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Windows Service Installed via an Unusual Client"
21references = [
22    "https://www.x86matthew.com/view_post?id=create_svc_rpc",
23    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697",
24    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md",
25    "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
26]
27risk_score = 73
28rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2"
29setup = """## Setup
30
31The 'Audit Security System Extension' logging policy must be configured for (Success)
32Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > System > Audit Security System Extension (Success)

 1"""
 2severity = "high"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Privilege Escalation",
 8    "Data Source: System",
 9]
10timestamp_override = "event.ingested"
11type = "eql"
12
13query = '''
14configuration where host.os.type == "windows" and
15  event.action == "service-installed" and
16  (winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and
17  not winlog.event_data.ServiceFileName : (
18    "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
19    "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
20    "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe",
21    "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" "
22  )
23'''
24
25
26[[rule.threat]]
27framework = "MITRE ATT&CK"
28[[rule.threat.technique]]
29id = "T1543"
30name = "Create or Modify System Process"
31reference = "https://attack.mitre.org/techniques/T1543/"
32[[rule.threat.technique.subtechnique]]
33id = "T1543.003"
34name = "Windows Service"
35reference = "https://attack.mitre.org/techniques/T1543/003/"
36
37
38
39[rule.threat.tactic]
40id = "TA0004"
41name = "Privilege Escalation"
42reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top