
Summary
The detection rule titled "Windows Service Installed via an Unusual Client" aims to identify the creation of Windows services executed by unusual client processes, which can signal potential privilege escalation attempts by adversaries. This threat stems from the fact that Windows services often operate under SYSTEM privileges, and unauthorized creation of these services can allow attackers to escalate their access levels from lower user privileges to SYSTEM. The rule monitors specific event logs for conditions where a service is installed with a ClientProcessId or ParentProcessId of '0', indicating unusual activity. It also excludes known legitimate services to minimize false positives. The setup requires enabling 'Audit Security System Extension' logging to capture pertinent success events. The investigation steps emphasize checking the context and history of the process involved in the service creation, ensuring no known legitimate tools are incorrectly flagged, and responding effectively to any identified threats.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Application Log
- Logon Session
- Process
- Network Share
- Network Traffic
ATT&CK Techniques
- T1543
- T1543.003
Created: 2022-02-07