note that false positives may occur, and filtering may be necessary, especially when it comes to remote service creation by administrators or software management utilities.

t1543
t1543.003
endpoint
splunk

Techniques

T1543
T1543.003

Sample rules

Windows Remote Create Service

source: splunk
technicques:
- T1543
- T1543.003

Description

This analytic identifies an endpoint that remotely connects to another endpoint to create a new service using sc.exe. On the remote endpoint, the new service will be created and this action will trigger the creation of EventCode 7045 along with all the resulting service information.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe Processes.process IN ("*create*")  Processes.process="*\\\\*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_remote_create_service_filter`