Windows Suspicious Services
Copy link

These detections identify suspicious activity from service installation events collected by Insight Agent from Windows endpoints.

Attacker Technique - Cloudflared Agent Service Installed

Description
Copy link

This detection identifies services being installed with ‘Cloudflared agent’ in the service name. This legitimate software is used by malicious actors in order to perform tunneling of network traffic and hide the IP address of the attackers infrastructure from the victim.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Protocol Tunneling - T1572

Attacker Technique - Remote Access Tool AmmyyAdmin Service Installed

Description
Copy link

This detection identifies the application AmmyyAdmin installed as a local Windows Service. Malicious actors may use this in post-exploitation activity and allow remote access to the compromised windows system.

Recommendation
Copy link

Determine whether AmmyyAdmin was installed on this host by the user or by an authorized IT employee. Investigate as well the remote IP Address connecting to the windows system and ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques
Copy link

  • External Remote Services - T1133

Attacker Technique - Remote Access Tool Rutserv.exe Service Installed

Description
Copy link

This detection identifies the application rutserv.exe installed as a local Windows Service. Malicious actors may use this in post-exploitation activity and allow remote access to the compromised windows system.

Recommendation
Copy link

Determine whether rutserv.exe was installed on this host by the user or by an authorized IT employee. Investigate as well the remote IP Address connecting to the windows system and ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques
Copy link

  • External Remote Services - T1133

Attacker Technique - Reverse Proxy Ngrok Service Installed

Description
Copy link

This detection identifies Ngrok being installed as a Windows Service. Ngrok is a legitimate utility that is sometimes abused by attackers to tunnel traffic out to the internet.

Recommendation
Copy link

Determine whether Ngrok was installed on this host by the user or by an authorized IT employee. Ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Protocol Tunneling - T1572

Attacker Technique - Service Installed Executing PowerShell

Description
Copy link

This detection identifies services being installed with ‘powershell’ in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Command and Scripting Interpreter - T1059
  • PowerShell - T1059.001
  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed Redirecting Output To ‘__output’

Description
Copy link

This detection identifies services being installed with ‘\127.0.0.1\c$__output’ in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service and capture the output of the command to a file.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed To Perflogs

Description
Copy link

This detection identifies services being installed with ‘perflogs’ in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed With COMSPEC Environment Variable In Command Line

Description
Copy link

This detection identifies services being installed with ‘%COMPSEC%’ in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed With Execution And Deletion Of Batch File

Description
Copy link

This detection identifies services being installed that will execute and delete a file in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Command and Scripting Interpreter - T1059
  • Windows Command Shell - T1059.003
  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed With Long Command Line

Description
Copy link

This detection identifies services being installed with a long string in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • System Services - T1569
  • Service Execution - T1569.002

Attacker Technique - Service Installed with Minidump Used on LSASS

Description
Copy link

This detection identifies service installation of the use of the ‘MiniDump’ command against the ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to read the memory contents of it and dump passwords and hashes.

Recommendation
Copy link

Determine if this was part of authorized penetration testing. Other than testing, there is little, if any, reason for activity like this to occur legitimately. Quarantine the host immediately.

MITRE ATT&CK Techniques
Copy link

  • LSASS Memory - T1003.001
  • Rundll32 - T1218.011
  • System Services - T1569
  • Service Execution - T1569.002

Suspicious Service - Sliver C2 Client PsExec Installation

Description
Copy link

This detection identifies Sliver C2, an open source cross-platform penetration testing/post-exploitation framework, installed as a local Windows Service. Usage of its built-in PsExec command, used for lateral movements, install this service on remote machine.

Recommendation
Copy link

Determine whether the Sliver C2 was installed on this host by the user or by an authorized IT employee. Investigate as well the remote IP Address connecting to the windows system and ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Remote Services - T1021