{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/veeamguesthelper.exe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VeeamVssSupport","VeeamGuestHelper.exe","VeeamLogShipper","PDQ Inventory","PDQ Deploy","SCCM","SMS"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows-service","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam","CrowdStrike","Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the creation of Windows services by unusual client processes. Adversaries may exploit this by creating services with administrator privileges, which then execute under SYSTEM privileges, allowing for privilege escalation. The rule focuses on detecting services installed with a ClientProcessId or ParentProcessId of 0, suggesting an unusual or potentially malicious service creation method. The rule also excludes known legitimate services such as VeeamVssSupport, VeeamLogShipper, PDQ Inventory, PDQ Deploy, CrowdStrike installer services, SCCM/SMS, nsnetpush and pbpsdeploy to minimize false positives. The tactic aims to escalate privileges within the Windows environment from administrator to SYSTEM level.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with administrator-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a custom service control manager RPC client or another unusual method to create a new Windows service.\u003c/li\u003e\n\u003cli\u003eThe ClientProcessId or ParentProcessId is set to 0 during service creation, indicating an unusual installation process.\u003c/li\u003e\n\u003cli\u003eThe service is configured to run as LocalSystem, granting it highly privileged access.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the service to execute a malicious executable or script.\u003c/li\u003e\n\u003cli\u003eThe service is started, either manually or automatically, by the operating system.\u003c/li\u003e\n\u003cli\u003eThe malicious executable or script runs with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation, allowing them to perform actions that require the highest level of access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to escalate privileges from administrator to SYSTEM, granting them full control over the compromised system. This can lead to data theft, installation of malware, or complete system compromise. The impact is significant, as the attacker can bypass security controls and perform any action on the system with the highest level of privilege.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Security System Extension to generate the necessary events for detection (reference: \u003ca href=\"https://ela.st/audit-security-system-extension\"\u003ehttps://ela.st/audit-security-system-extension\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Windows Service Creation with Null Process ID\u0026rdquo; to identify potentially malicious service installations. Tune the rule by adding legitimate software deployment tools to the exclusion list based on observed false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the ServiceFileName, ServiceAccount, and ClientProcessId to determine the legitimacy of the service creation event.\u003c/li\u003e\n\u003cli\u003eMonitor Event ID 4697 (A new service was installed in the system) in Windows Security Event Logs for unusual service creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T19:11:50Z","date_published":"2026-05-12T19:11:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-service-privilege-escalation/","summary":"Identifies the creation of a Windows service by an unusual client process, which can be leveraged to escalate privileges from administrator to SYSTEM by exploiting misconfigurations or vulnerabilities in the service creation process.","title":"Windows Service Installed via an Unusual Client for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-service-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed — VeeamGuestHelper.exe","version":"https://jsonfeed.org/version/1.1"}