Techniques
Sample rules
Randomly Generated Windows Service Name
- source: splunk
- technicques:
- T1543
- T1543.003
Description
The following hunting analytic leverages Event ID 7045, A new service was installed in the system, to identify the installation of a Windows Service with a suspicious, high entropy, Service Name. To achieve this, this analytic also leverages the ut_shannon function from the URL ToolBox Splunk application. Red teams and adversaries alike may abuse the Service Control Manager to create and start a remote Windows Service and obtain remote code execution. To achieve this goal, some tools like Metasploit, Cobalt Strike and Impacket, typically create a Windows Service with a random service name on the victim host. This hunting analytic may help defenders identify Windows Services installed as part of a lateral movement attack. The entropy threshold ut_shannon > 3 should be customized by users. The Service_File_Name field can be used to determine if the Windows Service has malicious intent or not.
Detection logic
`wineventlog_system` EventCode=7045
| lookup ut_shannon_lookup word as Service_Name
| where ut_shannon > 3
| table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name
| `randomly_generated_windows_service_name_filter`