Windows Suspicious Services

These detections identify suspicious activity from service installation events collected by Insight Agent from Windows endpoints.

Attacker Technique - Cloudflared Agent Service Installed

Description

This detection identifies services being installed with 'Cloudflared agent' in the service name. This legitimate software is used by malicious actors in order to perform tunneling of network traffic and hide the IP address of the attackers infrastructure from the victim.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Protocol Tunneling - T1572
Attacker Technique - Remote Access Tool AmmyyAdmin Service Installed

Description

This detection identifies the application AmmyyAdmin installed as a local Windows Service. Malicious actors may use this in post-exploitation activity and allow remote access to the compromised windows system.

Recommendation

Determine whether AmmyyAdmin was installed on this host by the user or by an authorized IT employee. Investigate as well the remote IP Address connecting to the windows system and ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • External Remote Services - T1133
Attacker Technique - Remote Access Tool Rutserv.exe Service Installed

Description

This detection identifies the application rutserv.exe installed as a local Windows Service. Malicious actors may use this in post-exploitation activity and allow remote access to the compromised windows system.

Recommendation

Determine whether rutserv.exe was installed on this host by the user or by an authorized IT employee. Investigate as well the remote IP Address connecting to the windows system and ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • External Remote Services - T1133
Attacker Technique - Reverse Proxy Ngrok Service Installed

Description

This detection identifies Ngrok being installed as a Windows Service. Ngrok is a legitimate utility that is sometimes abused by attackers to tunnel traffic out to the internet.

Recommendation

Determine whether Ngrok was installed on this host by the user or by an authorized IT employee. Ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Protocol Tunneling - T1572
Attacker Technique - Service Installed Executing PowerShell

Description

This detection identifies services being installed with 'powershell' in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Command and Scripting Interpreter - T1059
  • PowerShell - T1059.001
  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed Redirecting Output To '__output'

Description

This detection identifies services being installed with '\127.0.0.1\c$__output' in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service and capture the output of the command to a file.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed To Perflogs

Description

This detection identifies services being installed with 'perflogs' in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed With COMSPEC Environment Variable In Command Line

Description

This detection identifies services being installed with '%COMPSEC%' in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed With Execution And Deletion Of Batch File

Description

This detection identifies services being installed that will execute and delete a file in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Command and Scripting Interpreter - T1059
  • Windows Command Shell - T1059.003
  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed With Long Command Line

Description

This detection identifies services being installed with a long string in the command line. This technique is used by malicious actors in order to perform execution of commands through a system service.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • System Services - T1569
  • Service Execution - T1569.002
Attacker Technique - Service Installed with Minidump Used on LSASS

Description

This detection identifies service installation of the use of the ‘MiniDump’ command against the ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to read the memory contents of it and dump passwords and hashes.

Recommendation

Determine if this was part of authorized penetration testing. Other than testing, there is little, if any, reason for activity like this to occur legitimately. Quarantine the host immediately.

MITRE ATT&CK Techniques

  • LSASS Memory - T1003.001
  • Rundll32 - T1218.011
  • System Services - T1569
  • Service Execution - T1569.002
Suspicious Service - Sliver C2 Client PsExec Installation

Description

This detection identifies Sliver C2, an open source cross-platform penetration testing/post-exploitation framework, installed as a local Windows Service. Usage of its built-in PsExec command, used for lateral movements, install this service on remote machine.

Recommendation

Determine whether the Sliver C2 was installed on this host by the user or by an authorized IT employee. Investigate as well the remote IP Address connecting to the windows system and ensure there is a legitimate business use for it. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Remote Services - T1021