Skip to content
Threat Feed
medium advisory

Detect Suspicious Windows Service Installation

This detection identifies the creation of new Windows services with suspicious command values, often used for privilege escalation and persistence by malicious actors.

Attackers frequently abuse Windows services for persistence and privilege escalation. By creating or modifying services with malicious configurations, they can execute code with SYSTEM privileges. This rule detects suspicious service creations based on the image path, looking for services that point to command interpreters, scripts, or unusual locations. This activity is indicative of malicious actors attempting to establish persistence or escalate privileges within a compromised system. The detection focuses on identifying unusual command lines and file paths associated with newly created services based on Windows Event IDs 4697 and 7045.

Attack Chain

  1. Initial Access: The attacker gains initial access to the system through various means.
  2. Privilege Escalation: The attacker attempts to escalate privileges to SYSTEM.
  3. Service Creation: The attacker creates a new Windows service using tools like sc.exe or modifies an existing one.
  4. Image Path Modification: The attacker sets the service’s ImagePath to point to a command interpreter (e.g., cmd.exe, powershell.exe) or a script file.
  5. Command Execution: The service executes the command interpreter or script with SYSTEM privileges.
  6. Persistence: The attacker configures the service to start automatically on system boot, ensuring persistent access.
  7. Malicious Activity: The attacker uses the elevated privileges to perform malicious activities, such as installing malware, stealing credentials, or compromising other systems.

Impact

Successful exploitation allows attackers to maintain persistent access to the compromised system with SYSTEM privileges. This can lead to complete system compromise, data theft, installation of ransomware, and lateral movement to other systems within the network. The impact includes potential data breaches, financial losses, and reputational damage.

Recommendation

  • Enable Windows Security Event Logs and Windows System Event Logs to capture service creation events (Event IDs 4697 and 7045).
  • Deploy the Sigma rule Suspicious Service Installation via ImagePath to your SIEM to detect suspicious service creations.
  • Investigate any alerts generated by the Sigma rule by examining the service’s ImagePath and associated processes.
  • Use the Osquery queries provided in the source to investigate existing services, unsigned executables, and drivers for suspicious characteristics.
  • Monitor for registry changes related to service creation or modification.

Detection coverage 2

Suspicious Service Installation via ImagePath

medium

Detects the creation of a new Windows service with a suspicious ImagePath, indicating potential privilege escalation or persistence attempts.

sigma tactics: persistence, privilege_escalation techniques: T1543.003 sources: process_creation, windows

Suspicious Service Installation via Event Logs

medium

Detects the creation of a new Windows service with a suspicious ServiceFileName or ImagePath based on Windows Event IDs 4697 and 7045.

sigma tactics: persistence, privilege_escalation techniques: T1543.003 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →