Windows Service Installed via an Unusual Client
Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/02/07"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator
11privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from
12administrator to SYSTEM.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Windows Service Installed via an Unusual Client"
19references = [
20 "https://www.x86matthew.com/view_post?id=create_svc_rpc",
21 "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697",
22 "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md",
23]
24risk_score = 73
25rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2"
26setup = """## Setup
27
28The 'Audit Security System Extension' logging policy must be configured for (Success)
29Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > System > Audit Security System Extension (Success)
1"""
2severity = "high"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
4timestamp_override = "event.ingested"
5type = "eql"
6
7query = '''
8configuration where host.os.type == "windows" and
9 event.action == "service-installed" and
10 (winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and
11 not winlog.event_data.ServiceFileName : (
12 "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
13 "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
14 "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe",
15 "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" "
16 )
17'''
18
19
20[[rule.threat]]
21framework = "MITRE ATT&CK"
22[[rule.threat.technique]]
23id = "T1543"
24name = "Create or Modify System Process"
25reference = "https://attack.mitre.org/techniques/T1543/"
26[[rule.threat.technique.subtechnique]]
27id = "T1543.003"
28name = "Windows Service"
29reference = "https://attack.mitre.org/techniques/T1543/003/"
30
31
32
33[rule.threat.tactic]
34id = "TA0004"
35name = "Privilege Escalation"
36reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
The RPC protocol seems to be somewhat documented, but the relevant information is so fragmented that I found it easier to reverse-engineer it from scratch. I logged the communication of the Windows...
Read More -
-
Actionable analytics designed to combat threats. Contribute to atc-project/atomic-threat-coverage development by creating an account on GitHub.
Read More
Related rules
- Account Discovery Command via SYSTEM Account
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Expired or Revoked Driver Loaded