System Shells via Services | SIEM Guide [7.6]

A newer version is available. For the latest information, see the current release documentation.

› › ›

« Svchost spawning cmd.exe TCP Port 8000 Activity to the Internet »

System Shells via Servicesedit

Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.

Rule indices:

winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

Elastic
Windows

Rule version: 1

Added (Elastic Stack release): 7.6.0

Rule queryedit

event.action:"Process Create (rule: ProcessCreate)" and
process.parent.name:"services.exe" and process.name:("cmd.exe" or
"powershell.exe")

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: New Service
- ID: T1050
- Reference URL: https://attack.mitre.org/techniques/T1050/

« Svchost spawning cmd.exe TCP Port 8000 Activity to the Internet »