/
windows_service_created_within_public_path.yml
67 lines (67 loc) · 2.41 KB
/
windows_service_created_within_public_path.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Windows Service Created Within Public Path
id: 3abb2eda-4bb8-11ec-9ae4-3e22fbd008af
version: 2
date: '2024-04-26'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytc uses Windows Event Id 7045, `New Service Was Installed`,
to identify the creation of a Windows Service where the service binary path is located
in public paths. This behavior could represent the installation of a malicious service.
Red Teams and adversaries alike may create malicious Services for lateral movement
or remote code execution
data_source:
- Windows Event Log System 7045
search: '`wineventlog_system` EventCode=7045 ImagePath = "*.exe" NOT (ImagePath
IN ("*:\\Windows\\*", "*:\\Program File*", "*:\\Programdata\\*", "*%systemroot%\\*"))
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath
ServiceName ServiceType StartType Computer UserID | rename Computer as dest | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `windows_service_created_within_public_path_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the Service name, Service File Name Service Start type, and Service Type
from your endpoints.
known_false_positives: Legitimate applications may install services with uncommon
services paths.
references:
- https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager
- https://pentestlab.blog/2020/07/21/lateral-movement-services/
tags:
analytic_story:
- Active Directory Lateral Movement
- Snake Malware
asset_type: Endpoint
confidence: 60
impact: 90
message: A Windows Service $ServiceName$ with a public path was created on
$dest$
mitre_attack_id:
- T1543
- T1543.003
observable:
- name: ServiceName
type: Other
role:
- Other
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- EventCode
- Service_File_Name
- Service_Type
- _time
- Service_Name
- Service_Start_Type
risk_score: 54
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log
source: XmlWinEventLog:System
sourcetype: XmlWinEventLog