New Service Paths for Host

Description

New service creations are uncommon for most hosts. This search will look for both new executables and executables running from new paths launched by services.exe.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

Although it is useful to know what paths are involved with services launched on an endpoint, unless the system is considered “locked down” such as a single-purpose system (POS, kiosk, etc) this will result in significant noise because new services are being created on endpoints all of the time. Therefore, this type of search is best applied with a whitelist so that only ‘unapproved’ service paths are reported.

Alert Volume

High (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Defense Evasion
Privilege Escalation

MITRE ATT&CK Techniques

Masquerading
New Service

MITRE Threat Groups

APT1
APT3
APT32
APT41
BRONZE BUTLER
Carbanak
Cobalt Group
Dragonfly 2.0
FIN6
FIN7
Ke3chang
Kimsuky
Lazarus Group
MuddyWater
PLATINUM
Patchwork
Poseidon Group
Scarlet Mimic
Soft Cell
Sowbug
TEMP.Veles
Threat Group-3390
Tropic Trooper
admin@338
menuPass

Kill Chain Phases

Exploitation
Installation
Command and Control

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

New Service Creations should be fairly rare for most systems, occurring only when new software is installed or there is a Windows upgrade. You may want to filter out tools that you know help desk staff often install (for example, the Wireshark libpcap service), and any other common tools in your environment, but ultimately the efficacy of this search depends on how much change there is in your particular environment, and may or may not be that reliable. In the worst case, you can use it as a background contextual item for notable events.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the event, executable, its associated path, the system, user and other pertinent information. Contact the owner of the systems. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials have been used by another party and additional investigation is warranted to determine if services.exe has spawned new executables on new paths.

   Help

New Service Paths for Host Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of process launch events (Event ID 4688) filtered for service launches. We check the first time that's occurred per path, per host, and then alert if that was in the last day.

SPL for New Service Paths for Host

Demo Data

First we pull in our demo dataset.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we pull in our dataset of Windows process launch logs filtered to where services.exe is the Parent Process, care of EventID 4688 documented in this app. Any other EDR solution giving process launch logs will suffice here, as well.
Then we use table to include just the fields we're apt to care about. (Technically we need to use | table for this app because we show you the intermediate results, but in production you should drop this line because it will reduce search performance.)
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.