CAR-2013-09-005: Service Outlier Executables
New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Create or Modify System Process | Windows Service | Persistence | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PLA | Process Lineage Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | parent_image_path |
Implementations
Pseudocode
Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services.
processes = search Process:Create
services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe")
historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_services = filter services (where timestamp >= now - 1 day)
new_services = historic_services - current_services
output new_services
Sigma (Windows Event Log) (Sigma)
Sigma/Windows Event Log rule with similar logic to the above pseudocode
Logpoint, LogPoint native
LogPoint version of the above sigma rule.
norm_id=WinServer event_id=7045
| chart count() as cnt by file
| search cnt < 5