Suspicious Parent Spawning Services

Rule added on 20th February, 2024

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This correlation rule focuses on identifying potentially malicious activity by monitoring the creation of new processes by Services.exe (the Windows service manager). Services.exe usually launches legitimate system services. However, if a suspicious process spawns Services.exe, it could be trying to create a new, malicious service.

Data source:

Windows: Network traffic, process, script

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0002 - Execution, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0003 - Persistence

Techniques: T1059 - Command and Scripting Interpreter, T1055 - Process Injection, T1053 - Scheduled Task/Job

Sub-techniques: T1059.001 - PowerShell, T1055.001 - Dynamic-link Library Injection, T1055.001 - Portable Executable Injection

Criteria:

  • This rule targets processes ending with "services.exe" (including paths with System32 or SysWow64).
  • It marks the spawn as suspicious if the parent is not a legitimate wininit.exe process.

When to enable this rule:

Enable this rule when the user wants to detect potential privilege escalation or persistence techniques involving services through suspicious parent spawning.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) to detect anomalies in the spawning of service control manager.
  • CIS Control: 8 (Malware Defense) to oversee and secure the services.exe process against unauthorized use or manipulation.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.