Detectionhightest

Service Installed By Unusual Client - Security

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim Rauch, Elastic SecurityCreated Thu Sep 15Updated Wed Jan 04c4e92a97-a9ff-4392-9d2d-7a4c642768cawindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697

Detection Logic

detection:
    selection_eid:
        EventID: 4697
    selection_pid:
        - ClientProcessId: 0
        - ParentProcessId: 0
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1543 · Create or Modify System Process

Related Rules

SimilarDetectionhigh

Service Installed By Unusual Client - System

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

c4e92a97-a9ff-4392-9d2d-7a4c642768ca

Status

test

Level

high

Type

Detection

Created

Thu Sep 15

Modified

Wed Jan 04

Author

Tim Rauch, Elastic Security

Path

rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1543

View on GitHub