• QOMPLX Knowledge
  • Jun 28, 2021

QOMPLX Knowledge: Detecting Service Installed on Sensitive Systems

QOMPLX Knowledge: Detecting Service Installed on Sensitive Systems

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Stopping adversaries’ lateral movement within a compromised environment requires defenders to detect a range of malicious or suspicious behaviors. We have spoken for example, about malicious activity linked to Microsoft’s PowerShell as well as tricks like password spraying.

But malicious activity is often difficult to distinguish from the legitimate activity of users, applications and administrators. That’s why defenders need to focus both resources and attention on their highest value IT assets: paying close attention to changes in their security posture that may indicate a compromise. In this post, we’re taking a look at how QOMPLX’s Identity Assurance technology helps customers to spot the creation of new services on sensitive IT systems -- behavior that may be a sign of an emerging attack.

Key Points:

  • Monitoring for the creation of new services on sensitive IT assets is an effective way to identify malicious actors or malicious applications at work in your environment.
  • Tracking instances of Windows Event ID 7045 (a new service was installed) is critical for capturing new service creation, which may indicate that malicious commands or payloads are being run on the system.
  • QOMPLX’s Identity Assurance (IA) product monitors a list of predefined systems (e.g. domain controllers) for Windows Event ID 7045 and alerts administrators when new and unexpected services are created.

Why Services Installed on Sensitive Systems Matter

The creation of new Windows services is a common occurrence in networked environments and is associated with a wide range of activities. However, it may also be indicative of the work of a malicious user or application. In fact, Windows Services are a preferred method attackers use to  gain persistence on compromised systems. New services can be launched in seconds via the command line, but will persist even after a system reboot. Other processes may be ephemeral: disappearing after the application using them is terminated and frustrating forensic efforts.

Fortunately, Windows Event ID 7045, recorded in the System Event Log, provides a record of new services as they are created. The event contains a wide range of information, including the file name of the service and executable, when the process was started and more.

While service creation is fairly common, organizations should pay special attention to a new and unexpected service that is installed on sensitive IT systems such as domain controllers and be alerted whenever unknown or unexpected services launch. Detecting new services may alert incident responders to malicious activity including commands, the deployment of malicious payloads or efforts by attackers to achieve persistence within the environment.

QOMPLX Detection:

QOMPLX Identity Assurance allows organizations to configure a list of sensitive systems and then monitor those for occurrences of Windows Event 7045.

Additional Reading:

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.