You are looking at preliminary documentation for a future release.
Not what you want? See the
current release documentation.
Remote Windows Service Installededit
Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
- Persistence
Version: 1
Added (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule queryedit
sequence by winlog.logon.id, host.id with maxspan=1m [authentication
where event.action == "logged-in" and winlog.logon.type : "Network"
and event.outcome=="success" and source.ip != null and source.ip !=
"127.0.0.1" and source.ip != "::1"] [iam where event.action ==
"service-installed" and not winlog.event_data.SubjectLogonId :
"0x3e7" and not winlog.event_data.ServiceFileName :
("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
"?:\\Windows\\System32\\VSSVC.exe",
"?:\\Windows\\servicing\\TrustedInstaller.exe",
"?:\\Windows\\System32\\svchost.exe", "?:\\Program
Files (x86)\\*.exe", "?:\\Program Files\\*.exe",
"?:\\Windows\\PSEXESVC.EXE",
"?:\\Windows\\System32\\sppsvc.exe",
"?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
"?:\\WINDOWS\\RemoteAuditService.exe",
"?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
"?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
"?:\\Windows\\CAInvokerService.exe",
"?:\\Windows\\System32\\upfc.exe",
"?:\\Windows\\AdminArsenal\\PDQ*.exe",
"?:\\Windows\\System32\\vds.exe",
"?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
"?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
"?:\\Windows\\System32\\certsrv.exe",
"?:\\Windows\\eset-remote-install-service.exe",
"?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
"?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
"?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
"?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
"?:\\Windows\\System32\\taskhostex.exe")]
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/