IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Unusual Windows Remote User Unusual Windows User Calling the Metadata Service »

› › ›

Unusual Windows Service

edit

Unusual Windows Service

edit

A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence

Version: 103

Rule authors:

Elastic

Rule license: Elastic License v2

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Sub-technique:
- Name: Windows Service
- ID: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/

« Unusual Windows Remote User Unusual Windows User Calling the Metadata Service »