New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.

ATT&CK Detection

Technique Tactic Level of Coverage
Modify Existing Service Persistence, Privilege Escalation Moderate
New Service Persistence, Privilege Escalation Moderate

Pseudocode

Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services.

processes = search Process:Create
services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe")
historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_services = filter services (where timestamp >= now - 1 day)
new_services = historic_services - current_services
output new_services

Data Model References

Object Action Field
process create parent_image_path