This detection is to identify a creation of “user mode service” where the service file path is located in non-common service folder in windows.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
System Services Launchctl, Service Execution Execution Moderate

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
service create image_path


Pseudocode – Service in Suspicious File Path (Pseudocode, CAR native)

Pseudocode implementation of the Splunk search below.

services = search Service:create
suspicious_services = filter services where image_path = "*\.exe" AND image_path does not contain ["C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"] )
output suspicious_services

Splunk code (Splunk, Endpoint)

To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

 `wineventlog_system` EventCode=7045  Service_File_Name = "*\.exe" NOT (Service_File_Name IN ("C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*")) Service_Type = "user mode service" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type

Unit Tests

Test Case 1

Configurations: Using Splunk Attack Range

Replay the detection dataset using the Splunk attack range with the commands below

python replay -dn data_dump [--dump NAME_OF_DUMP]

Test Case 2

Configurations: Using Invoke-AtomicRedTeam

execute the atomic test T1569.001 against a Windows target.

Invoke-AtomicTest T1569.001