Windows Service Installed via an Unusual Client
Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/02/07"
3integration = ["system", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/01/09"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator
13privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from
14administrator to SYSTEM.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Windows Service Installed via an Unusual Client"
21references = [
22 "https://www.x86matthew.com/view_post?id=create_svc_rpc",
23 "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697",
24 "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md",
25]
26risk_score = 73
27rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2"
28setup = """## Setup
29
30The 'Audit Security System Extension' logging policy must be configured for (Success)
31Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > System > Audit Security System Extension (Success)
1"""
2severity = "high"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
4timestamp_override = "event.ingested"
5type = "query"
6
7query = '''
8event.action:"service-installed" and
9 (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") and
10 not winlog.event_data.ServiceFileName : (
11 "C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" or
12 "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\17706-CsInstallerService.exe"
13 )
14'''
15
16
17[[rule.threat]]
18framework = "MITRE ATT&CK"
19[[rule.threat.technique]]
20id = "T1543"
21name = "Create or Modify System Process"
22reference = "https://attack.mitre.org/techniques/T1543/"
23[[rule.threat.technique.subtechnique]]
24id = "T1543.003"
25name = "Windows Service"
26reference = "https://attack.mitre.org/techniques/T1543/003/"
27
28
29
30[rule.threat.tactic]
31id = "TA0004"
32name = "Privilege Escalation"
33reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
The RPC protocol seems to be somewhat documented, but the relevant information is so fragmented that I found it easier to reverse-engineer it from scratch. I logged the communication of the Windows...
Read More -
-
Actionable analytics designed to combat threats. Contribute to atc-project/atomic-threat-coverage development by creating an account on GitHub.
Read More
Related rules
- Access to a Sensitive LDAP Attribute
- FirstTime Seen Account Performing DCSync
- Group Policy Abuse for Privilege Addition
- Interactive Logon by an Unusual Process
- Kerberos Pre-authentication Disabled for User