detection.wiki

Detection rules › Splunk

Windows Snake Malware Service Create

Author
Michael Haag, Splunk
Source
upstream

The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory. It leverages Windows System logs, specifically EventCode 7045, to identify this activity. This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services. If confirmed malicious, this activity could allow an attacker to execute Snake malware components, leading to potential data exfiltration, system compromise, and long-term persistence within the environment.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1569.002 System Services: Service Execution
PersistenceT1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions
Privilege EscalationT1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

Event coverage

ProviderEvent IDTitle
Service-Control-Manager7045

Stages and Predicates

Stage 1: search

search EventCode=7045 ImagePath="*\Werfault.exe" ImagePath="*\\windows\\winSxS\\*"

Stage 2: stats

stats BY Computer, EventCode, ImagePath, ServiceName, ServiceType

Stage 3: rename

rename

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 7045 corpus 12 (splunk 12)
ImagePatheq
  • "*\Werfault.exe"
  • "*\\windows\\winSxS\\*"

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.