Windows Service Event Logs [0.1]
This artefact searches for misuse of Windows services to run malware to gain persistence on a system. These services allow programs to run on computers between restarting the system, such as for automatic updates.
A search is performed across the System Event log (C:\Windows\System32\winevt\logs\System.evtx) to identify a service which has been previously created to run the Windows Command Prompt. Specifically, searches are run to identify service installations containing reference to the '%COMSPEC%' environment variable. This activity is commonly observed with known attackers for most post-exploitation tools to move laterally through Windows Utilities, such as 'smbexec'.
Packs.CyberCX.Windows.ServiceEventLogs
The detected activity may be created by an administrator to perform specific tasks. The following investigative activity should be performed to determine if this behaviour is expected or not. Please note that the services identified may no longer exist in the current environment.
- Is the service legitimate?
- Is it capable of running a Command Prompt?
- Does it look like it may potentially relate to other malicious activity?
For each detection, investigate duplicates running the same code to determine if they:
- Contain the text '%COMSPEC%'. If not, the detection may be a false positive.
- Are not a known part of the network, particularly confirming with any administrators of this computer or application providers which service this computer or applications on it.
- Are capable of running malicious code and what form that might take. Check the function of the script to ensure it does not appear benign.
For each service identified as potentially malicious, further actions should be taken to confirm the following:
- Is this service still present on the machine? This can be confirmed by running 'Autoruns' from the Windows Sysinternals toolkit through Task Manager, or the built-in Windows services utility. This may not identify services that are not actively running.
- What does this service do? Does it run another file or program with unknown purpose, or read data from a location?
- Does the service have any encoded commands that may require decoding?
- Where did this service originate from? What user was associated with it? Check the timestamp associated with the service which indicates when it was created.
- What other activity, such as programs being executed, was observed at this time? Were any users at the keyboard then?
If you've followed the steps above, but still believe your system may have been compromised, please refer to our wiki for more information about how to contact the CyberCX Digital Forensics and Incident Response (DFIR) team.
[v0.1]:
