Detection rules › Splunk
Windows Service Created (Sysmon)
Adversaries may leverage sc.exe to execute malicious content by creating a new service
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
| Persistence | T1543 Create or Modify System Process |
| Privilege Escalation | T1543 Create or Modify System Process |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '5705.18100'
title: Windows Service Created
description: 'Adversaries may leverage sc.exe to execute malicious content by creating
a new service. -- Threat Actor Association: Alloy Taurus/Gallium, APT27/Emissary
Panda, APT29/Nobelium/Cozy Bear, Earth Estries, FamousSparrow, FIN6, FIN7, FIN12,
Flax Typhoon, GoldenJackal, Lazarus, Magic Hound (aka APT35, Charming Kitten, Phosphorus,
and Mint Sandstorm), MalKamak, Memento Team, Night Spider, Prophet Spider, Redfly,
Wizard Spider - Software Association: Bazar, Conti, Clop, Cuba, DirtyMoe, GhostShell,
Hancitor, Midas, Prometheus/Spook, Snatch -- Atomics T1036.004 Test #2 Atomics T1574.009
Test#1 -- #TrendingThreat #Russia #Ukraine'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` ("EventCode=1" OR "<EventID>1<")
(TERM(sc) OR TERM(sc.exe)) TERM(create) |regex process="(?i)sc(\.exe)?\s(.+)?create\s"|
table _time, host, user, signature_id, process, process_*, parent_* | bin span=1s
| stats values(*) as * by _time, host '
techniques:
- execution:system services:service execution
- persistence:create or modify system process
technique_id:
- T1569.002
- T1543
data_category:
- Windows Sysmon
references:
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` ("EventCode=1" OR "<EventID>1<") (TERM(sc) OR TERM(sc.exe)) TERM(create)
Stage 2: regex
| regex process="(?i)sc(\.exe)?\s(.+)?create\s"
Stage 3: table
| table _time, host, user, signature_id, process, process_*, parent_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
process | regex_match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "EventCode=1" |
| 1 | "<EventID>1<" |
| 1 | TERM |
| 1 | sc |
| 1 | TERM |
| 1 | sc.exe |
| 1 | TERM |
| 1 | create |