A newer version is available. For the latest information, see the current release documentation.
« Svchost spawning cmd.exe TCP Port 8000 Activity to the Internet »
Elastic Docs SIEM Guide [7.6] Detections (Beta) Prebuilt rule reference

System Shells via Services

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

System Shells via Services

edit

Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Rule version: 1

Added (Elastic Stack release): 7.6.0

Rule query

edit
event.action:"Process Create (rule: ProcessCreate)" and
process.parent.name:"services.exe" and process.name:("cmd.exe" or
"powershell.exe")

Threat mapping

edit

Framework: MITRE ATT&CKTM

« Svchost spawning cmd.exe TCP Port 8000 Activity to the Internet »