Suspicious Service Installed
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Failed logon"
| timewindow 10m
| groupby HOSTNAME
| groupby USERNAME having COUNT >= 5
Action2:
actionname = "Successful logon" AND HOSTNAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME
Action3:
actionname = "Service installed" AND HOSTNAME = Action1.HOSTNAME AND USERNAME = Action1.USERNAME
Action4:
actionname = "Service started" AND SERVICENAME = Action3.SERVICENAME AND HOSTNAME = Action1.HOSTNAME
sequence:Action1 followedby Action2 within 2m followedby Action3 within 15m followedby Action4 within 15m
select Action1.timewindow.HOSTNAME,Action1.timewindow.MESSAGE,Action1.timewindow.USERNAME,Action1.timewindow.DOMAIN,Action1.timewindow.REMOTEHOST,Action1.timewindow.REMOTEIP,Action1.timewindow.LOGONTYPE,Action1.timewindow.PROCESSNAME,Action1.timewindow.FAILUREREASON,Action2.HOSTNAME,Action2.MESSAGE,Action2.USERNAME,Action2.DOMAIN,Action2.REMOTEHOST,Action2.REMOTEIP,Action2.LOGONTYPE,Action2.PROCESSNAME,Action2.CALLER,Action2.LOGON_PROCESS,Action2.MEMBERGROUPSID,Action2.SECURITYID,Action3.HOSTNAME,Action3.MESSAGE,Action3.DOMAIN,Action3.SERVICEACCOUNT,Action3.SERVICENAME,Action3.OBJECTNAME,Action3.USERNAME,Action3.SECURITYID,Action3.SERVICESTARTUPTYPE,Action3.SERVICETYPE,Action4.HOSTNAME,Action4.MESSAGE,Action4.SERVICENAME,Action4.ERRORCODE
Detection
Execution Mode
realtime
Log Sources
Windows
Author
xknow (@xknow_infosec), xorxes (@xor_xes)
