Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Sigma rule (View on GitHub)
1title: Service Installed By Unusual Client - Security
2id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
3related:
4 - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
5 type: similar
6status: test
7description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
10 - https://www.x86matthew.com/view_post?id=create_svc_rpc
11 - https://twitter.com/SBousseaden/status/1490608838701166596
12author: Tim Rauch (Nextron Systems), Elastic (idea)
13date: 2022/09/15
14modified: 2023/01/04
15tags:
16 - attack.privilege_escalation
17 - attack.t1543
18logsource:
19 service: security
20 product: windows
21 definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
22detection:
23 selection_eid:
24 EventID: 4697
25 selection_pid:
26 - ClientProcessId: 0
27 - ParentProcessId: 0
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
-
Windows Service Installed via an Unusual Clientedit Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed...
Read More -
The RPC protocol seems to be somewhat documented, but the relevant information is so fragmented that I found it easier to reverse-engineer it from scratch. I logged the communication of the Windows...
Read More -
Related rules
- Service Installed By Unusual Client - System
- PUA - Process Hacker Execution
- KrbRelayUp Service Installation
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- Driver Load From A Temporary Directory