Windows Service Installed via an Unusual Client

Author: Elastic
Source: upstream

Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service

Event coverage

Provider	Event ID	Title
Security-Auditing	4697	A service was installed in the system.

Stages and Predicates

Stage 1: `eql:configuration`

(winlog.event_data.ClientProcessId:0 or winlog.event_data.ParentProcessId:0) and not winlog.event_data.ServiceFileName:"?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe" and event.action:"service-installed" and user.domain starts_with and winlog.event_data.ServiceAccount:"LocalSystem"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`ServiceFileName`	wildcard	`?:\Windows\VeeamVssSupport\VeeamGuestHelper.exe`, `?:\Windows\VeeamLogShipper\VeeamLogShipper.exe`, `%SystemRoot%\system32\Drivers\Crowdstrike\*-CsInstallerService.exe`, `"%windir%\AdminArsenal\PDQInventory-Scanner\service-1\PDQInventory-Scanner-1.exe"` , `"%windir%\AdminArsenal\PDQDeployRunner\service-1\PDQDeployRunner-1.exe"` , `"%windir%\AdminArsenal\PDQInventoryWakeCommand\service-1\PDQInventoryWakeCommand-1.exe"` , `"%SystemRoot%\nsnetpush.exe"`, `"C:\WINDOWS\ccmsetup\ccmsetup.exe" /runservice /ignoreskipupgrade /config:MobileClient.tcf`, `"?:\SMS\bin\x64\srvboot.exe"`, `%SystemRoot%\pbpsdeploy.exe`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`service-installed` corpus 2 (elastic 2)
`winlog.event_data.ClientProcessId`	eq	`0` corpus 2 (sigma 1, elastic 1)
`winlog.event_data.ParentProcessId`	eq	`0` corpus 2 (sigma 1, elastic 1)
`winlog.event_data.ServiceAccount`	eq	`LocalSystem`

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

CobaltStrike Service Installations - Security [sigma] (cross-vendor) (drops 5 filters this rule applies) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Obfuscated IEX Invocation - Security [sigma] (cross-vendor) (drops 5 filters this rule applies) (first-stage match only; downstream stages may differ)
Meterpreter or Cobalt Strike Getsystem Service Installation - Security [sigma] (cross-vendor) (drops 5 filters this rule applies) (first-stage match only; downstream stages may differ)
Service Installed By Unusual Client - Security [sigma] (cross-vendor) (drops 5 filters this rule applies) (first-stage match only; downstream stages may differ)