Created
December 17, 2019 16:53
-
-
Save Cyb3rWard0g/e184619fb6b938b9354f77fb2db63004 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Remote Service creation | |
id: WIN-190815181010 | |
author: Roberto Rodriguez @Cyb3rWard0g | |
playbook_link: WIN-190813181020 | |
creation_date: 19/08/15 | |
platform: Windows | |
permissions_required: | |
- Administrator | |
attack_coverage: | |
- technique: T1035 | |
tactics: | |
- TA0002 | |
- TA0008 | |
hypothesis: Adversaries might be creating new services remotely to execute code and move laterally in my environment | |
description: |- | |
Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries creating a new service. | |
Adversaries can create services remotely to execute code and move lateraly across the environment. | |
validation_dataset: | |
- type: mordor | |
url: https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/service_execution_T1035/empire_invoke_psexec.tar.gz | |
analytics: | |
- name: Analytic I | |
data_sources: | |
- Security | |
false_positives: Low | |
description: Look for new services being created in your environment under a network logon session (3). That is a sign that the service creation was performed from another endpoint in the environment | |
logic: |- | |
SELECT o.`@timestamp`, o.computer_name, o.SubjectUserName, o.SubjectUserName, o.ServiceName, a.IpAddress | |
FROM mordorTable o | |
INNER JOIN ( | |
SELECT computer_name,TargetUserName,TargetLogonId,IpAddress | |
FROM mordorTable | |
WHERE channel = "Security" | |
AND LogonType = 3 | |
AND IpAddress is not null | |
AND NOT TargetUserName LIKE "%$" | |
) a | |
ON o.SubjectLogonId = a.TargetLogonId | |
WHERE o.channel = "Security" | |
AND o.event_id = 4697 | |
detection_blindspots: | |
hunter_notes: |- | |
* If there are a lot of unique services being created in your environment, try to categorize the data based on the bussiness unit. | |
* Identify the source of unique services being created everyday. I have seen Microsoft applications doing this. | |
* Stack the values of the service file name associated with the new service. | |
* Document what users create new services across your environment on a daily basis | |
hunt_output: | |
references: |- | |
* https://www.powershellempire.com/?page_id=523 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment