IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Windows Service Installed via an Unusual Client
editWindows Service Installed via an Unusual Client
editIdentifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-system.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
Version: 107
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") and not winlog.event_data.ServiceFileName : ( "C:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" or "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\17706-CsInstallerService.exe" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
-
Sub-technique:
- Name: Windows Service
- ID: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/