Remote Service Creation

calendar Apr 21, 2023 · attack.lateral_movement attack.persistence attack.execution attack.t1543.003  ·
Share on: linkedin copy

Detects remote execution via service creation on the destination host

Sigma rule (View on GitHub)

 1action: global
 2title: Remote Service Creation
 3id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
 4status: unsupported
 5description: Detects remote execution via service creation on the destination host
 6author: Jai Minton, oscd.community
 7date: 2020/10/05
 8references:
 9    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
10tags:
11    - attack.lateral_movement
12    - attack.persistence
13    - attack.execution
14    - attack.t1543.003 
15detection:
16    selection1:
17        EventID: 4624
18        Logon_Type: 3
19    filter1: 
20        Source_Network_Address:
21            - '::1'
22            - '127.0.0.1'
23    timeframe: 30s
24    condition: (selection1 and not filter1) or selection2
25    #   where:
26    #       selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
27    #   Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
28    #   This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. 
29    #       This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
30    #   This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. 
31    #   By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
32    #   Rule logic is currently not supported by SIGMA.
33    
34falsepositives:
35    - Unknown
36level: medium
37---
38 logsource:
39     product: windows
40     service: security
41 detection:
42     selection2:
43         EventID: 4697
44---
45logsource:
46    product: windows
47    service: system
48detection:
49    selection2:
50        EventID: 7045```

References

Related rules

to-top