New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Create or Modify System Process Windows Service Persistence Moderate

Data Model References

Object Action Field
process create parent_image_path

Implementations

Pseudocode

Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services.

processes = search Process:Create
services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe")
historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_services = filter services (where timestamp >= now - 1 day)
new_services = historic_services - current_services
output new_services

Sigma (Windows Event Log) (Sigma)

Sigma/Windows Event Log rule with similar logic to the above pseudocode

Logpoint, LogPoint native

LogPoint version of the above sigma rule.

norm_id=WinServer event_id=7045
| chart count() as cnt by file
| search cnt < 5