Skip to content

Commit e6711e7

Browse files
patel-bhavinpatel-bhavin
committed
updating spl
1 parent 405064e commit e6711e7

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

detections/endpoint/windows_service_created_with_suspicious_service_name.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,14 @@ date: '2025-02-07'
55
author: Steven Dick
66
status: production
77
type: Anomaly
8-
description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
8+
description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
99
data_source:
1010
- Windows Event Log System 7045
1111
search: |-
1212
`wineventlog_system` EventCode=7045
13-
| stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
13+
| stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
1414
| eval process_name = mvindex(split(process,"\\"),-1)
15-
| rename Computer as dest, ServiceName as object_name, ServiceType as object_type
15+
| rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id
1616
| lookup windows_suspicious_services service_name as object_name
1717
| where isnotnull(tool_name)
1818
| `security_content_ctime(firstTime)`
@@ -44,7 +44,7 @@ rba:
4444
- field: dest
4545
type: system
4646
score: 75
47-
- field: user
47+
- field: user_id
4848
type: user
4949
score: 75
5050
threat_objects:

0 commit comments

Comments
 (0)