security-content/detections/first_time_seen_running_windows_service.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
asset_type: Endpoint
baselines:
  - id: 64ce0ade-cb01-4678-bddd-d31c0b175394
    name: Previously Seen Running Windows Services
    type: splunk
confidence: medium
creation_date: '2018-07-22'
data_metadata:
  data_eventtypes:
    - wineventlog_system
  data_source:
    - Windows Event Logs
  providing_technologies:
    - Microsoft Windows
description: This search looks for the first time a Windows service is seen running
  in your environment.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: service_name
        rule_description: The service $service_name$ is running on $dest$. This is
          the first time this service has been run on any system.
        rule_title: First Time Seen Windows Service $service_name$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 40
      schedule:
        cron_schedule: 30 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: eventtype=wineventlog_system signature_id=7036 | rename param1 as service_name | rename param2 as action | search action="running" [ search eventtype=wineventlog_system signature_id=7036 | rename param1 as service_name | rename param2 as action | search action="running" | stats earliest(_time) as firstTime, latest(_time) as lastTime by service_name | inputlookup append=t previously_seen_running_windows_services | stats min(firstTime) as firstTime max(lastTime) as lastTime by service_name | outputlookup previously_seen_running_windows_services| eval serviceStatus=if(firstTime >= relative_time(now(),"-60m@m"), "First time seen Windows service","Previously seen Windows service") | where serviceStatus="First time seen Windows service"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table service_name]| table _time dest service_name
      suppress:
        suppress_fields: service_name, dest
        suppress_period: 86400s
eli5: 'This search looks for a change in the status of a Windows service and extracts
  the name of the service and the action taken by the service. Then the cache file
  of previously seen Windows services is added to the search. At this point, the search
  takes two different paths: the first updates the cache file with the latest information
  and the second searches for services that have never before been seen. It returns
  the time, the Windows host name, and the service name.'
entities:
  - dest
how_to_implement: While this search does not require you to adhere to Splunk CIM,
  you must be ingesting your Windows security-event logs in order for this search
  to execute successfully. The support search, `Previously Seen Running Windows Services`,
  should be run before this search to create the baseline of known Windows services. Please ensure that the Splunk Add-on for Microsoft Windows is version 5.0.0 or above.
id: 823136f2-d755-4b6d-ae04-372b486a5808
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: A previously unseen service is not necessarily malicious. Verify
  that the service is legitimate and that was installed by a legitimate process.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 2
    - CIS 9
  kill_chain_phases:
    - Installation
    - Actions on Objectives
  mitre_attack:
    - Execution
    - New Service
  mitre_technique_id:
    - T1050
  nist:
    - ID.AM
    - PR.DS
    - PR.AC
    - DE.AE
modification_date: '2020-01-13'
name: First Time Seen Running Windows Service
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'