Suspicious Service was Installed in the System

Author: Elastic
Source: upstream

Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service

Event coverage

Provider	Event ID	Title
Security-Auditing	4697	A service was installed in the system.
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `eql:any`

(winlog.event_data.ServiceFileName:"%systemroot%\\\\[a-z0-9]+\\.exe" or winlog.event_data.ServiceFileName:"COMSPEC") and not winlog.event_data.ServiceFileName:"%SystemRoot%\\PSEXESVC.exe"

Stage 2: `eql:any`

not winlog.event_data.ImagePath:"%SystemRoot%\\PSEXESVC.exe" and winlog.event_data.ImagePath:"COMSPEC"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`ServiceFileName`	wildcard	`%SystemRoot%\PSEXESVC.exe`, `%SystemRoot%\\RemComSvc.exe`, `%SystemRoot%\pbpsdeploy.exe`, `%SystemRoot%\system32\RemComSvc.exe`, `"C:\Program Files\Common Files\Zoom\Support\CptService.exe*`, `"C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\host\cpsechost.exe" service`
1	`ImagePath`	wildcard	`%SystemRoot%\PSEXESVC.exe`, `%SystemRoot%\\RemComSvc.exe`, `%SystemRoot%\pbpsdeploy.exe`, `%SystemRoot%\system32\RemComSvc.exe`, `"C:\Program Files\Common Files\Zoom\Support\CptService.exe*`, `"C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\host\cpsechost.exe" service`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`winlog.event_data.ImagePath`	wildcard	`.bat` `.cmd` `Admin$` `COMSPEC` `\127.0.0.1` `\PerfLogs\` `\Users\` `\Windows\Debug\` `\Windows\Tasks\` `bitsadmin` `certmgr` `certutil` `cmd.exe` `echo` `msbuild` `powershell` `regsvr32` `rundll32` `vssadmin`
`winlog.event_data.ServiceFileName`	match	`%systemroot%\\[a-z0-9]+\.exe`
`winlog.event_data.ServiceFileName`	wildcard	`.bat` `.cmd` `Admin$` `COMSPEC` `RemComSvc` `\127.0.0.1` `\PerfLogs\` `\Users\` `\Windows\Debug\` `\Windows\Tasks\` `bitsadmin` `certmgr` `certutil` `cmd.exe` `echo` `msbuild` `powershell` `regsvr32` `rundll32` `vssadmin`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]