Techniques
Sample rules
Randomly Generated Windows Service Name
- source: splunk
- technicques:
- T1543
- T1543.003
Description
The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the ut_shannon function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
Detection logic
`wineventlog_system` EventCode=7045
| lookup ut_shannon_lookup word as Service_Name
| where ut_shannon > 3
| table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name
| `randomly_generated_windows_service_name_filter`