Detection rules › Splunk
Windows Service Created with Suspicious Service Name
The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the wineventlog_system to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
Event coverage
| Provider | Event |
|---|---|
| Service-Control-Manager | Event ID 7045 |
Rule body splunk
name: Windows Service Created with Suspicious Service Name
id: 35eb6d19-a497-400c-93c5-645562804b11
version: 9
creation_date: '2025-02-07'
modification_date: '2026-05-13'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
data_source:
- Windows Event Log System 7045
search: |-
`wineventlog_system` EventCode=7045
| stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
| eval process_name = replace(mvindex(split(process,"\\"),-1), "\"", "")
| rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id
| lookup windows_suspicious_services service_name as object_name
| where isnotnull(tool_name)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_service_created_with_suspicious_service_name_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.
known_false_positives: Legitimate applications may install services with uncommon services paths.
references:
- https://attack.mitre.org/techniques/T1569/002/
- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16
- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv
drilldown_searches:
- name: View the detection results for - "$dest$""
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
- name: Investigate service events on $dest$
search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
intermediate_findings:
entities:
- field: dest
type: system
score: 20
message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$]
threat_objects:
- field: object_name
type: signature
- field: process
type: process
analytic_story:
- Active Directory Lateral Movement
- Brute Ratel C4
- CISA AA23-347A
- Clop Ransomware
- Flax Typhoon
- PlugX
- Qakbot
- Snake Malware
- Tuoni
- Gh0st RAT
asset_type: Endpoint
mitre_attack_id:
- T1569.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log
source: XmlWinEventLog:System
sourcetype: XmlWinEventLog
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_system` EventCode=7045
Stage 2: stats
| stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
Stage 3: eval
| eval process_name = replace(mvindex(split(process,"\\"),-1), "\"", "")
Stage 4: rename
| rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id
Stage 5: lookup
| lookup windows_suspicious_services service_name as object_name
Stage 6: where
| where isnotnull(tool_name)
Stage 7: search
| `security_content_ctime(firstTime)`
Stage 8: search
| `security_content_ctime(lastTime)`
Stage 9: search
| `windows_service_created_with_suspicious_service_name_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.