QOMPLX Knowledge: Detecting Service Installed on Sensitive Systems

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Stopping adversaries’ lateral movement within a compromised environment requires defenders to detect a range of malicious or suspicious behaviors. We have spoken for example, about malicious activity linked to Microsoft’s PowerShell as well as tricks like password spraying.

But malicious activity is often difficult to distinguish from the legitimate activity of users, applications and administrators. That’s why defenders need to focus both resources and attention on their highest value IT assets: paying close attention to changes in their security posture that may indicate a compromise. In this post, we’re taking a look at how QOMPLX’s Identity Assurance technology helps customers to spot the creation of new services on sensitive IT systems -- behavior that may be a sign of an emerging attack.

Key Points:

  • Monitoring for the creation of new services on sensitive IT assets is an effective way to identify malicious actors or malicious applications at work in your environment.
  • Tracking instances of Windows Event ID 7045 (a new service was installed) is critical for capturing new service creation, which may indicate that malicious commands or payloads are being run on the system.
  • QOMPLX’s Identity Assurance (IA) product monitors a list of predefined systems (e.g. domain controllers) for Windows Event ID 7045 and alerts administrators when new and unexpected services are created.

Why Services Installed on Sensitive Systems Matter

The creation of new Windows services is a common occurrence in networked environments and is associated with a wide range of activities. However, it may also be indicative of the work of a malicious user or application. In fact, Windows Services are a preferred method attackers use to  gain persistence on compromised systems. New services can be launched in seconds via the command line, but will persist even after a system reboot. Other processes may be ephemeral: disappearing after the application using them is terminated and frustrating forensic efforts.

Fortunately, Windows Event ID 7045, recorded in the System Event Log, provides a record of new services as they are created. The event contains a wide range of information, including the file name of the service and executable, when the process was started and more.

While service creation is fairly common, organizations should pay special attention to a new and unexpected service that is installed on sensitive IT systems such as domain controllers and be alerted whenever unknown or unexpected services launch. Detecting new services may alert incident responders to malicious activity including commands, the deployment of malicious payloads or efforts by attackers to achieve persistence within the environment.

QOMPLX Detection:

QOMPLX Identity Assurance allows organizations to configure a list of sensitive systems and then monitor those for occurrences of Windows Event 7045.

Additional Reading:

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Detecting Lateral Movement Through Tracking Event Logs