Detection rules › Splunk
First Time Seen Running Windows Service
The following analytic detects the first occurrence of a Windows service running in your environment. It leverages Windows system event logs, specifically EventCode 7036, to identify services entering the "running" state. This activity is significant because the appearance of a new or previously unseen service could indicate the installation of unauthorized or malicious software. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, maintain persistence, or escalate privileges within the environment. Monitoring for new services helps in early detection of potential threats.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7036 |
Stages and Predicates
Stage 1: search
search EventCode=7036
Stage 2: rex
rex field=Message ...
Stage 3: where
where state="running"
Stage 4: lookup
lookup <lookup> firstTimeSeen, service
Stage 5: where
where (firstTimeSeen> OR isnull(firstTimeSeen))
Stage 6: table
table _time, dest, service
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
state | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Cisco Secure Endpoint Related Service Stopped (adds 2 filters)