Randomly Generated Windows Service Name

Author: Mauricio Velazco, Splunk
Source: upstream

The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the ut_shannon function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543.003` Create or Modify System Process: Windows Service

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `search`

search EventCode=7045

Stage 2: `lookup`

lookup <lookup> Service_Name, word

Stage 3: `where`

where ut_shannon>3

Stage 4: `table`

table ComputerName, EventCode, Service_File_Name, Service_Name, Service_Start_Type, Service_Type, ut_shannon

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`7045` corpus 12 (splunk 12)
`ut_shannon`	gt	`3` corpus 2 (splunk 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows Bluetooth Service Installed From Uncommon Location [splunk] (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Service Created with Suspicious Service Path [splunk] (adds 2 filters) (first-stage match only; downstream stages may differ)
Windows Snake Malware Service Create [splunk] (adds 2 filters) (first-stage match only; downstream stages may differ)
Clop Ransomware Known Service Name [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Driver Load Non-Standard Path [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows KrbRelayUp Service Creation [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Service Create RemComSvc [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Service Create SliverC2 [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)
Windows Vulnerable Driver Installed [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Invoke-Obfuscation Obfuscated IEX Invocation - System [sigma] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)