THIS IS A EXPERIMENTAL DETECTION
This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.
This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.
- Type: Anomaly
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-07-21
- Author: David Dorsey, Splunk
- ID: 823136f2-d755-4b6d-ae04-372b486a5808
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 7 `wineventlog_system` EventCode=7036 | rex field=Message "The (?<service>[-\(\)\s\w]+) service entered the (?<state>\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`
The SPL above uses the following Macros:
first_time_seen_running_windows_service_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
The SPL above uses the following Lookups:
List of fields required to use this analytic.
How To Implement
While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search
Previously Seen Running Windows Services - Initial to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search
Previously Seen Running Windows Services - Update to keep this table up to date and to age out old Windows Services. Please update the
previously_seen_windows_services_window macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.
Known False Positives
A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.
Associated Analytic Story
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 4