| id | WIN-190815181010 |
| author | Roberto Rodriguez @Cyb3rWard0g |
| creation date | 2019/08/15 |
| platform | Windows |
| playbook link | WIN-190813181020 |
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service. Adversaries can create services remotely to execute code and move lateraly across the environment.
In [ ]:
from openhunt.mordorutils import *
spark = get_spark()
In [ ]:
mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
| FP Rate | Log Channel | Description |
|---|---|---|
| Low | ['Security'] | Look for new services being created in your environment under a network logon session (3). That is a sign that the service creation was performed from another endpoint in the environment |
In [ ]:
df = spark.sql(
'''
SELECT o.`@timestamp`, o.computer_name, o.SubjectUserName, o.SubjectUserName, o.ServiceName, a.IpAddress
FROM mordorTable o
INNER JOIN (
SELECT computer_name,TargetUserName,TargetLogonId,IpAddress
FROM mordorTable
WHERE channel = "Security"
AND LogonType = 3
AND IpAddress is not null
AND NOT TargetUserName LIKE "%$"
) a
ON o.SubjectLogonId = a.TargetLogonId
WHERE o.channel = "Security"
AND o.event_id = 4697
'''
)
df.show(1,False)