Service Creation

Metadata

id

WIN-190813181020

author

Roberto Rodriguez @Cyb3rWard0g

creation date

2019/08/13

platform

Windows

playbook link

Technical Description

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service.

Hypothesis

Adversaries might be creating new services to execute code on a compromised endpoint in my environment

Analytics

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/datasets/small/windows/execution/empire_invoke_psexec.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] Processing Data from Winlogbeat version 6..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Analytic I

FP Rate

Log Channel

Description

Low

[‘Security’]

Look for new services being created in your environment and stack the values of it

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, SubjectUserName ServiceName, ServiceType, ServiceStartType, ServiceAccount
FROM mordorTable
WHERE channel = "Security" AND event_id = 4697
    '''
)
df.show(10,False)
+-----------------------+---------------+-----------+-----------+----------------+--------------+
|@timestamp             |computer_name  |ServiceName|ServiceType|ServiceStartType|ServiceAccount|
+-----------------------+---------------+-----------+-----------+----------------+--------------+
|2019-05-18 17:07:23.035|IT001.shire.com|pgustavo   |0x10       |3               |LocalSystem   |
+-----------------------+---------------+-----------+-----------+----------------+--------------+

Detection Blindspots

Hunter Notes

  • If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit.

  • Identify the source of unique services being created everyday. I have seen Microsoft applications doing this.

  • Stack the values of the service file name associated with the new service.

  • Document what users create new services across your environment on a daily basis

Hunt Output

References

  • https://www.powershellempire.com/?page_id=523