New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.
|Technique||Tactic||Level of Coverage|
|Modify Existing Service||Persistence, Privilege Escalation||Moderate|
|New Service||Persistence, Privilege Escalation||Moderate|
Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services.
processes = search Process:Create services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe") historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day) current_services = filter services (where timestamp >= now - 1 day) new_services = historic_services - current_services output new_services
Data Model References