:warning: THIS IS A EXPERIMENTAL DETECTION

This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.

Try in Splunk Security Cloud

Description

This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2020-07-21
  • Author: David Dorsey, Splunk
  • ID: 823136f2-d755-4b6d-ae04-372b486a5808

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1569 System Services Execution
T1569.002 Service Execution Execution
Kill Chain Phase
  • Installation
  • Actions on Objectives
NIST
  • ID.AM
  • PR.DS
  • PR.AC
  • DE.AE
CIS20
  • CIS 2
  • CIS 9
CVE
1
2
3
4
5
6
7
`wineventlog_system` EventCode=7036 
| rex field=Message "The (?<service>[-\(\)\s\w]+) service entered the (?<state>\w+) state" 
| where state="running" 
| lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen 
| where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) 
| table _time dest service 
| `first_time_seen_running_windows_service_filter`

Macros

The SPL above uses the following Macros:

:information_source: first_time_seen_running_windows_service_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Lookups

The SPL above uses the following Lookups:

Required fields

List of fields required to use this analytic.

  • _time
  • EventCode
  • Message
  • dest

How To Implement

While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search Previously Seen Running Windows Services - Initial to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search Previously Seen Running Windows Services - Update to keep this table up to date and to age out old Windows Services. Please update the previously_seen_windows_services_window macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.

Known False Positives

A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
25.0 50 50 tbd

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 4