SMS — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/sms/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 19:11:50 +0000Windows Service Installed via an Unusual Client for Privilege Escalationhttps://feed.craftedsignal.io/briefs/2026-05-windows-service-privilege-escalation/Tue, 12 May 2026 19:11:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-windows-service-privilege-escalation/Identifies the creation of a Windows service by an unusual client process, which can be leveraged to escalate privileges from administrator to SYSTEM by exploiting misconfigurations or vulnerabilities in the service creation process.This detection identifies the creation of Windows services by unusual client processes. Adversaries may exploit this by creating services with administrator privileges, which then execute under SYSTEM privileges, allowing for privilege escalation. The rule focuses on detecting services installed with a ClientProcessId or ParentProcessId of 0, suggesting an unusual or potentially malicious service creation method. The rule also excludes known legitimate services such as VeeamVssSupport, VeeamLogShipper, PDQ Inventory, PDQ Deploy, CrowdStrike installer services, SCCM/SMS, nsnetpush and pbpsdeploy to minimize false positives. The tactic aims to escalate privileges within the Windows environment from administrator to SYSTEM level.

Attack Chain

  1. An attacker gains initial access to a system with administrator-level privileges.
  2. The attacker uses a custom service control manager RPC client or another unusual method to create a new Windows service.
  3. The ClientProcessId or ParentProcessId is set to 0 during service creation, indicating an unusual installation process.
  4. The service is configured to run as LocalSystem, granting it highly privileged access.
  5. The attacker configures the service to execute a malicious executable or script.
  6. The service is started, either manually or automatically, by the operating system.
  7. The malicious executable or script runs with SYSTEM privileges.
  8. The attacker achieves privilege escalation, allowing them to perform actions that require the highest level of access.

Impact

Successful exploitation allows an attacker to escalate privileges from administrator to SYSTEM, granting them full control over the compromised system. This can lead to data theft, installation of malware, or complete system compromise. The impact is significant, as the attacker can bypass security controls and perform any action on the system with the highest level of privilege.

Recommendation

  • Enable Audit Security System Extension to generate the necessary events for detection (reference: https://ela.st/audit-security-system-extension).
  • Deploy the Sigma rule “Detect Windows Service Creation with Null Process ID” to identify potentially malicious service installations. Tune the rule by adding legitimate software deployment tools to the exclusion list based on observed false positives in your environment.
  • Investigate any alerts generated by the Sigma rule by examining the ServiceFileName, ServiceAccount, and ClientProcessId to determine the legitimacy of the service creation event.
  • Monitor Event ID 4697 (A new service was installed in the system) in Windows Security Event Logs for unusual service creation events.
]]>highadvisoryprivilege-escalationwindows-servicewindows