Service Creation

Metadata


id	WIN-190813181020
author	Roberto Rodriguez @Cyb3rWard0g
creation date	2019/08/13
platform	Windows
playbook link

Technical Description

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service.

Hypothesis

Adversaries might be creating new services to execute code on a compromised endpoint in my environment

Analytics

Initialize Analytics Engine



In [ ]:

    
from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File



In [ ]:

    
mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Analytic I

FP Rate	Log Channel	Description
Low	['Security']	Look for new services being created in your environment and stack the values of it



In [ ]:

    
df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, SubjectUserName ServiceName, ServiceType, ServiceStartType, ServiceAccount
FROM mordorTable
WHERE channel = "Security" AND event_id = 4697
    '''
)
df.show(1,False)

Detection Blindspots

Hunter Notes

If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit.
Identify the source of unique services being created everyday. I have seen Microsoft applications doing this.
Stack the values of the service file name associated with the new service.
Document what users create new services across your environment on a daily basis

Hunt Output

References

https://www.powershellempire.com/?page_id=523