New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Create or Modify System Process||Windows Service||Persistence||Moderate|
Data Model References
Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services.
processes = search Process:Create services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe") historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day) current_services = filter services (where timestamp >= now - 1 day) new_services = historic_services - current_services output new_services
Sigma (Windows Event Log) (Sigma)
Sigma/Windows Event Log rule with similar logic to the above pseudocode
Logpoint, LogPoint native
LogPoint version of the above sigma rule.
norm_id=WinServer event_id=7045 | chart count() as cnt by file | search cnt < 5