[New Rule] Windows Service Installed via an Unusual Client (#1759)

* [New Rule] Windows Service Installed via an Unusual Client https://www.x86matthew.com/view_post?id=create_svc_rpc * Update non-ecs-schema.json * Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add ```s * Update privilege_escalation_windows_service_via_unusual_client.toml * add missing comma to schema Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit 326aa64ff6)
2022-02-11 21:56:59 +01:00
parent 817400d0c7
commit c5fa838d30
2 changed files with 73 additions and 3 deletions
@@ -16,18 +16,20 @@
        "AttributeValue": "keyword",
        "CallerProcessName": "keyword", 
        "CallTrace": "keyword",
+        "ClientProcessId": "keyword",
        "GrantedAccess": "keyword",
+        "NewTargetUserName": "keyword",
        "ObjectDN": "keyword",
+        "OldTargetUserName": "keyword",
        "OriginalFileName": "keyword",
+        "ParentProcessId": "keyword",
        "RelativeTargetName": "keyword",
        "ShareName": "keyword",
        "SubjectLogonId": "keyword",
        "TargetImage": "keyword",
        "TargetLogonId": "keyword",
        "TargetProcessGUID": "keyword",
-        "TargetSid": "keyword",
-        "OldTargetUserName": "keyword",
-        "NewTargetUserName": "keyword"
+        "TargetSid": "keyword"
      }
    },
    "winlog.logon.type": "keyword",
@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2022/02/07"
+maturity = "production"
+updated_date = "2022/02/07"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator
+privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from
+administrator to SYSTEM.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Windows Service Installed via an Unusual Client"
+note = """## Config
+
+The 'Audit Security System Extension' logging policy must be configured for (Success)
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+System > 
+Audit Security System Extension (Success)
+```
+"""
+references = [
+    "https://www.x86matthew.com/view_post?id=create_svc_rpc",
+    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697",
+    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"
+]
+risk_score = 73
+rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.action:"service-installed"  and (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1543/"
+id = "T1543"
+name = "Create or Modify System Process"
+[[rule.threat.technique.subtechnique]]
+reference = "https://attack.mitre.org/techniques/T1543/003/"
+id = "T1543.003"
+name = "Windows Service"
+
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0004/"
+id = "TA0004"
+name = "Privilege Escalation"
+