service_abuse.yml

category:
  - Malware
channel: ESCU
creation_date: '2017-11-02'
description: Windows services are often used by attackers for persistence and the
  ability to load drivers or otherwise interact with the Windows kernel. This Analytic
  Story helps you monitor your environment for indications that Windows services are
  being modified or created in a suspicious manner.
detections:
  - detection_id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d
    name: Sc.exe Manipulating Windows Services
    type: splunk
  - detection_id: 8470d755-0c13-45b3-bd63-387a373c10cf
    name: Reg.exe Manipulating Windows Services Registry Keys
    type: splunk
  - detection_id: 823136f2-d755-4b6d-ae04-372b486a5808
    name: First Time Seen Running Windows Service
    type: splunk
id: 6dbd810e-f66d-414b-8dfc-e46de55cbfe2
maintainers:
  - company: Splunk
    email: rvaldez@splunk.com
    name: Rico Valdez
modification_date: '2017-11-02'
name: Windows Service Abuse
narrative: The Windows operating system uses a services architecture to allow for
  running code in the background, similar to a UNIX daemon. Attackers will often leverage
  Windows services for persistence, hiding in plain sight, seeking the ability to
  run privileged code that can interact with the kernel. In many cases, attackers
  will create a new service to host their malicious code. Attackers have also been
  observed modifying unnecessary or unused services to point to their own code, as
  opposed to what was intended. In these cases, attackers often use tools to create
  or modify services in ways that are not typical for most environments, providing
  opportunities for detection.
original_authors:
  - company: Splunk
    email: rvaldez@splunk.com
    name: Rico Valdez
references:
  - https://attack.mitre.org/wiki/Technique/T1050
  - https://attack.mitre.org/wiki/Technique/T1031
spec_version: 2
usecase: Advanced Threat Detection
version: '3.0'