
Summary
This rule identifies the installation of suspicious Windows Services characterized by their high-entropy, often random names, which may indicate malicious behavior. Leveraging Windows Event Log System Event ID 7045, the rule employs the `ut_shannon` analysis function to determine the randomness of service names. Randomly named services are frequently utilized by attackers for lateral movement, as well as to execute arbitrary code, thereby escalating privileges or maintaining persistence within environments. The rule specifically filters for service names with a Shannon entropy score greater than three, suggesting a low likelihood of being legitimate. Consequently, monitoring and response processes should be triggered upon detection, whereas known false positives must be considered, especially in environments where legitimate applications may adopt similar naming conventions.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
ATT&CK Techniques
- T1543
- T1543.003
Created: 2024-11-13