Detection rules › Splunk
Windows Service Created with Suspicious Service Name
The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the wineventlog_system to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7045 |
Stages and Predicates
Stage 1: search
search EventCode=7045
Stage 2: stats
stats BY Computer, ServiceName, StartType, ServiceType, UserID
Stage 3: eval
eval ... using (process)
Stage 4: rename
rename
Stage 5: lookup
lookup <lookup> object_name, service_name
Stage 6: where
where isnotnull(tool_name)
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Bluetooth Service Installed From Uncommon Location (adds 2 filters)
- Windows Service Created with Suspicious Service Path (adds 2 filters)
- Windows Snake Malware Service Create (adds 2 filters)
- Clop Ransomware Known Service Name (adds 1 filter)
- Windows Driver Load Non-Standard Path (adds 1 filter)
- Windows KrbRelayUp Service Creation (adds 1 filter)
- Windows Service Create RemComSvc (adds 1 filter)
- Windows Service Create SliverC2 (adds 1 filter)
- Windows Vulnerable Driver Installed (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Invoke-Obfuscation Obfuscated IEX Invocation - System (drops 1 filter this rule applies)