Cyb3rWard0g/WIN-190813181020.yaml

## WIN-190813181020.yaml
title: Remote Service creation
id: WIN-190815181010
author: Roberto Rodriguez @Cyb3rWard0g
playbook_link: WIN-190813181020
creation_date: 19/08/15
platform: Windows
permissions_required:
    - Administrator
attack_coverage:
    - technique: T1035
      tactics:
        - TA0002
        - TA0008
hypothesis: Adversaries might be creating new services remotely to execute code and move laterally in my environment
description: |-
    Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service.
    Adversaries can create services remotely to execute code and move lateraly across the environment.
validation_dataset:
    - type: mordor
      url: https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz
analytics:
    - name: Analytic I
      data_sources:
        - Security
      false_positives: Low
      description: Look for new services being created in your environment under a network logon session (3). That is a sign that the service creation was performed from another endpoint in the environment
      logic: |-
        SELECT o.`@timestamp`, o.computer_name, o.SubjectUserName, o.SubjectUserName, o.ServiceName, a.IpAddress
        FROM mordorTable o
        INNER JOIN (
            SELECT computer_name,TargetUserName,TargetLogonId,IpAddress
            FROM mordorTable
            WHERE channel = "Security"
                AND LogonType = 3
                AND IpAddress is not null
                AND NOT TargetUserName LIKE "%$"
            ) a
        ON o.SubjectLogonId = a.TargetLogonId
        WHERE o.channel = "Security"
            AND o.event_id = 4697
detection_blindspots:
hunter_notes: |-
    * If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit.
    * Identify the source of unique services being created everyday. I have seen Microsoft applications doing this.
    * Stack the values of the service file name associated with the new service.
    * Document what users create new services across your environment on a daily basis
hunt_output:
references: |-
    * https://www.powershellempire.com/?page_id=523
	title: Remote Service creation
	id: WIN-190815181010
	author: Roberto Rodriguez @Cyb3rWard0g
	playbook_link: WIN-190813181020
	creation_date: 19/08/15
	platform: Windows
	permissions_required:
	- Administrator
	attack_coverage:
	- technique: T1035
	tactics:
	- TA0002
	- TA0008
	hypothesis: Adversaries might be creating new services remotely to execute code and move laterally in my environment
	description: \|-
	Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service.
	Adversaries can create services remotely to execute code and move lateraly across the environment.
	validation_dataset:
	- type: mordor
	url: https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz
	analytics:
	- name: Analytic I
	data_sources:
	- Security
	false_positives: Low
	description: Look for new services being created in your environment under a network logon session (3). That is a sign that the service creation was performed from another endpoint in the environment
	logic: \|-
	SELECT o.`@timestamp`, o.computer_name, o.SubjectUserName, o.SubjectUserName, o.ServiceName, a.IpAddress
	FROM mordorTable o
	INNER JOIN (
	SELECT computer_name,TargetUserName,TargetLogonId,IpAddress
	FROM mordorTable
	WHERE channel = "Security"
	AND LogonType = 3
	AND IpAddress is not null
	AND NOT TargetUserName LIKE "%$"
	) a
	ON o.SubjectLogonId = a.TargetLogonId
	WHERE o.channel = "Security"
	AND o.event_id = 4697
	detection_blindspots:
	hunter_notes: \|-
	* If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit.
	* Identify the source of unique services being created everyday. I have seen Microsoft applications doing this.
	* Stack the values of the service file name associated with the new service.
	* Document what users create new services across your environment on a daily basis
	hunt_output:
	references: \|-
	* https://www.powershellempire.com/?page_id=523