There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.
When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on
services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
This compound behavior can be detected by looking for
services.exe receiving a network connection and immediately spawning a child process.
|Technique||Tactic||Level of Coverage|
|Modify Existing Service||Execution||Moderate|
Look for processes launched from
services.exe within 1 second of
services.exe receiving a network connection.
process = search Process:Create flow = search Flow:Start service = filter process where (parent_exe == "services.exe") remote_start = join (flow, service ) where ( flow.hostname == service.hostname and flow.pid == service.pid and (flow.time < service.time < flow.time + 1 second) ) output remote_start
Data Model References