Remote Windows Service Installed

Author: Elastic
Source: upstream

Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1569` System Services, `T1569.002` System Services: Service Execution
Persistence	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service
Lateral Movement	`T1021` Remote Services, `T1021.002` Remote Services: SMB/Windows Admin Shares

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4697	A service was installed in the system.

Stages and Predicates

Stage 1: `eql:authentication`

event.action:"logged-in" and event.outcome:"success" and not source.ip:"127.0.0.1" and not source.ip:"::1" and winlog.logon.type:"Network"

Stage 2: `eql:iam`

not winlog.event_data.ServiceFileName:"?:\\Windows\\ADCR_Agent\\adcrsvc.exe" and not winlog.event_data.SubjectLogonId:0x3e7 and event.action:"service-installed"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`LogonId`	eq	`0x3e7`
2	`ServiceFileName`	wildcard	`?:\Windows\ADCR_Agent\adcrsvc.exe`, `?:\Windows\System32\VSSVC.exe`, `?:\Windows\servicing\TrustedInstaller.exe`, `?:\Windows\System32\svchost.exe`, `?:\Program Files (x86)\.exe`, `?:\Program Files\.exe`, `?:\Windows\PSEXESVC.EXE`, `?:\Windows\System32\sppsvc.exe`, `?:\Windows\System32\wbem\WmiApSrv.exe`, `?:\WINDOWS\RemoteAuditService.exe`, `?:\Windows\VeeamVssSupport\VeeamGuestHelper.exe`, `?:\Windows\VeeamLogShipper\VeeamLogShipper.exe`, `?:\Windows\CAInvokerService.exe`, `?:\Windows\System32\upfc.exe`, `?:\Windows\AdminArsenal\PDQ*.exe`, `?:\Windows\System32\vds.exe`, `?:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe`, `?:\Windows\ProPatches\Scheduler\STSchedEx.exe`, `?:\Windows\System32\certsrv.exe`, `?:\Windows\eset-remote-install-service.exe`, `?:\Pella Corporation\Pella Order Management\GPAutoSvc.exe`, `?:\Pella Corporation\OSCToGPAutoService\OSCToGPAutoSvc.exe`, `?:\Pella Corporation\Pella Order Management\GPAutoSvc.exe`, `?:\Windows\SysWOW64\NwxExeSvc\NwxExeSvc.exe`, `?:\Windows\System32\taskhostex.exe`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`logged-in` corpus 7 (elastic 7) `service-installed` corpus 2 (elastic 2)
`event.outcome`	eq	`success` corpus 8 (elastic 8)
`source.ip`	ne	`127.0.0.1` corpus 8 (elastic 8) `::1` corpus 7 (elastic 7)
`winlog.logon.type`	wildcard	`Network` corpus 3 (elastic 3)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Service Creation via Local Kerberos Authentication [elastic]