IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Windows Service Installed via an Unusual Clientedit
Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
Version: 109
Rule authors:
- Elastic
Rule license: Elastic License v2
Setupedit
Setup
The Audit Security System Extension logging policy must be configured for (Success) Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > System > Audit Security System Extension (Success)
Rule queryedit
configuration where host.os.type == "windows" and event.action == "service-installed" and (winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and not winlog.event_data.ServiceFileName : ( "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe", "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" " )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
-
Sub-technique:
- Name: Windows Service
- ID: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/