New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch

Description

Very rarely would cmd.exe, regedit.exe, or powershell.exe be launched by services.exe. This search will detect that malware persistence strategy. (MITRE CAR Reference)

(for most companies)


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

There are some very powerful executables on Windows endpoints that should be carefully audited. Most are legit when they execute, but it is a useful exercise to monitor the parent process that does the launching. The Service Control Manager, or services.exe, has no legitimate reason to launch commands like cmd.exe, powershell.exe, or regedit.exe. Incidentally, a common way for malware to masquerade as something legitimate is to call itself service.exe.

Alert Volume

Very Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

New Service

MITRE Threat Groups

APT3
APT32
Carbanak
Cobalt Group
FIN7
Ke3chang
Kimsuky
Lazarus Group
Threat Group-3390
Tropic Trooper

Kill Chain Phases

Installation

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This detection should have relatively few false positives given the rarity of having any of these programs launched as services. It's possible some system management scripts might flag for this, but those should be rare and easily filtered out of the search.

   How To Respond

When this search returns values, initiate your incident response process and identify the system demonstrating this behavior. Determine the time and process that is being executed and by what account on the system. Contact the user and system owner to determine if it is authorized, and document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted to determine why services.exe is triggering cmd.exe, regedit.exe or powershell.exe.

   Help

New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of process launch events (Event ID 4688) where known suspicious tools are launched as a service. For this analysis, we are effectively grouping by process name and host, which will give us a row for each process_name+hostname combination. We check if the first time that has occurred was in the last day.

SPL for New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch

Demo Data

First we pull in our demo dataset.
Then we filter to when the process is one of the standard windows processes, and the parent process is services.exe
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

Here we pull in our dataset of Microsoft Sysmon logs (though an EDR logs will suffice), and filter to when the process is one of the standard windows processes, and the parent process is services.exe
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.