{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service_creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege_escalation","windows","service_creation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers frequently abuse Windows services for persistence and privilege escalation. By creating or modifying services with malicious configurations, they can execute code with SYSTEM privileges. This rule detects suspicious service creations based on the image path, looking for services that point to command interpreters, scripts, or unusual locations. This activity is indicative of malicious actors attempting to establish persistence or escalate privileges within a compromised system. The detection focuses on identifying unusual command lines and file paths associated with newly created services based on Windows Event IDs 4697 and 7045.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through various means.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to escalate privileges to SYSTEM.\u003c/li\u003e\n\u003cli\u003eService Creation: The attacker creates a new Windows service using tools like \u003ccode\u003esc.exe\u003c/code\u003e or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eImage Path Modification: The attacker sets the service\u0026rsquo;s \u003ccode\u003eImagePath\u003c/code\u003e to point to a command interpreter (e.g., cmd.exe, powershell.exe) or a script file.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The service executes the command interpreter or script with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker configures the service to start automatically on system boot, ensuring persistent access.\u003c/li\u003e\n\u003cli\u003eMalicious Activity: The attacker uses the elevated privileges to perform malicious activities, such as installing malware, stealing credentials, or compromising other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the compromised system with SYSTEM privileges. This can lead to complete system compromise, data theft, installation of ransomware, and lateral movement to other systems within the network. The impact includes potential data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logs and Windows System Event Logs to capture service creation events (Event IDs 4697 and 7045).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Service Installation via ImagePath\u003c/code\u003e to your SIEM to detect suspicious service creations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the service\u0026rsquo;s \u003ccode\u003eImagePath\u003c/code\u003e and associated processes.\u003c/li\u003e\n\u003cli\u003eUse the Osquery queries provided in the source to investigate existing services, unsigned executables, and drivers for suspicious characteristics.\u003c/li\u003e\n\u003cli\u003eMonitor for registry changes related to service creation or modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-12T12:00:00Z","date_published":"2024-01-12T12:00:00Z","id":"/briefs/2024-01-suspicious-service-installation/","summary":"This detection identifies the creation of new Windows services with suspicious command values, often used for privilege escalation and persistence by malicious actors.","title":"Detect Suspicious Windows Service Installation","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-service-installation/"}],"language":"en","title":"CraftedSignal Threat Feed — Service_creation","version":"https://jsonfeed.org/version/1.1"}