IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Windows Service Installed via an Unusual Client
editWindows Service Installed via an Unusual Client
editIdentifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-system.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Privilege Escalation
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Config The 'Audit Security System Extension' logging policy must be configured for (Success) Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > System > Audit Security System Extension (Success) ```
Rule query
editevent.action:"service-installed" and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
-
Sub-technique:
- Name: Windows Service
- ID: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/