⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-07-21
- Author: David Dorsey, Splunk
- ID: 823136f2-d755-4b6d-ae04-372b486a5808
`wineventlog_system` EventCode=7036 | rex field=Message "The (?<service>[-\(\)\s\w]+) service entered the (?<state>\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`
Associated Analytic Story
How To Implement
While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search
Previously Seen Running Windows Services - Initial to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search
Previously Seen Running Windows Services - Update to keep this table up to date and to age out old Windows Services. Please update the
previously_seen_windows_services_window macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.
Kill Chain Phase
- Actions on Objectives
Known False Positives
A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.
source | version: 4