+3Does anyone have a sample rule they can share with me to track EID 7045 windows events to monitor new services?
Also any sample rules or pointers you can provide for this detection would be a ton of help.
- Randomized powershell executables - hash is poweshell.exe but file name is different.
Best answer by jstoner
Here is a starter rule that would track new services being created. I'm grouping by the host but clearly there is a lot of additional tweaking that could be done to view by user or service as well as using watchlists(reference lists) or tying into other process executions.
rule new_service_tracking {
meta:
author = "Google Cloud Security"
description = "Identify services being created and by whom"
platform = "Windows"
severity = "Low"
priority = "Low"
events:
$service.metadata.event_type = "SERVICE_CREATION"
$service.metadata.product_name = "Service Control Manager"
$service.metadata.vendor_name = "Microsoft"
$service.metadata.product_event_type = "7045"
$service.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 10
$user_initiated = array_distinct($service.principal.user.userid)
$service_name = array_distinct($service.target.application)
$service_file_path = array_distinct($service.target.process.file.full_path)
condition:
$service
}
+22Here is a starter rule that would track new services being created. I'm grouping by the host but clearly there is a lot of additional tweaking that could be done to view by user or service as well as using watchlists(reference lists) or tying into other process executions.
rule new_service_tracking {
meta:
author = "Google Cloud Security"
description = "Identify services being created and by whom"
platform = "Windows"
severity = "Low"
priority = "Low"
events:
$service.metadata.event_type = "SERVICE_CREATION"
$service.metadata.product_name = "Service Control Manager"
$service.metadata.vendor_name = "Microsoft"
$service.metadata.product_event_type = "7045"
$service.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 10
$user_initiated = array_distinct($service.principal.user.userid)
$service_name = array_distinct($service.target.application)
$service_file_path = array_distinct($service.target.process.file.full_path)
condition:
$service
}
+10You'll want to use the following UDM field (though it's content may vary on the log source). This worked in my environment with NXLog
metadata.product_event_type = "7045"
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.