Windows Service Installed via an Unusual Client

Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/02/07"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/05/14"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator
13privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from
14administrator to SYSTEM.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Windows Service Installed via an Unusual Client"
21references = [
22    "https://www.x86matthew.com/view_post?id=create_svc_rpc",
23    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697",
24    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md",
25]
26risk_score = 73
27rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2"
28setup = """## Setup
29
30The 'Audit Security System Extension' logging policy must be configured for (Success)
31Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > System > Audit Security System Extension (Success)

 1"""
 2severity = "high"
 3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
 4timestamp_override = "event.ingested"
 5type = "eql"
 6
 7query = '''
 8configuration where host.os.type == "windows" and
 9  event.action == "service-installed" and
10  (winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and
11  not winlog.event_data.ServiceFileName : (
12    "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
13    "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
14    "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe",
15    "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" "
16  )
17'''
18
19
20[[rule.threat]]
21framework = "MITRE ATT&CK"
22[[rule.threat.technique]]
23id = "T1543"
24name = "Create or Modify System Process"
25reference = "https://attack.mitre.org/techniques/T1543/"
26[[rule.threat.technique.subtechnique]]
27id = "T1543.003"
28name = "Windows Service"
29reference = "https://attack.mitre.org/techniques/T1543/003/"
30
31
32
33[rule.threat.tactic]
34id = "TA0004"
35name = "Privilege Escalation"
36reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top