Try in Splunk Security Cloud

Description

Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Endpoint_Processes
  • Last Updated: 2017-11-02
  • Author: Rico Valdez, Splunk
  • ID: 6dbd810e-f66d-414b-8dfc-e46de55cbfe2

Narrative

The Windows operating system uses a services architecture to allow for running code in the background, similar to a UNIX daemon. Attackers will often leverage Windows services for persistence, hiding in plain sight, seeking the ability to run privileged code that can interact with the kernel. In many cases, attackers will create a new service to host their malicious code. Attackers have also been observed modifying unnecessary or unused services to point to their own code, as opposed to what was intended. In these cases, attackers often use tools to create or modify services in ways that are not typical for most environments, providing opportunities for detection.

Detections

Name Technique Type
First Time Seen Running Windows Service System Services, Service Execution Anomaly
Illegal Service and Process Control via Mimikatz modules Process Injection, Native API, System Services TTP
Illegal Service and Process Control via PowerSploit modules Process Injection, Native API, System Services TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP

Reference

source | version: 3