-
Notifications
You must be signed in to change notification settings - Fork 383
/
Copy pathwindows_service_abuse.yml
30 lines (30 loc) · 1.38 KB
/
windows_service_abuse.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Windows Service Abuse
id: 6dbd810e-f66d-414b-8dfc-e46de55cbfe2
version: 3
date: '2017-11-02'
author: Rico Valdez, Splunk
status: production
description: Windows services are often used by attackers for persistence and the
ability to load drivers or otherwise interact with the Windows kernel. This Analytic
Story helps you monitor your environment for indications that Windows services are
being modified or created in a suspicious manner.
narrative: The Windows operating system uses a services architecture to allow for
running code in the background, similar to a UNIX daemon. Attackers will often leverage
Windows services for persistence, hiding in plain sight, seeking the ability to
run privileged code that can interact with the kernel. In many cases, attackers
will create a new service to host their malicious code. Attackers have also been
observed modifying unnecessary or unused services to point to their own code, as
opposed to what was intended. In these cases, attackers often use tools to create
or modify services in ways that are not typical for most environments, providing
opportunities for detection.
references:
- https://attack.mitre.org/wiki/Technique/T1050
- https://attack.mitre.org/wiki/Technique/T1031
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection