This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Track EID 7045 windows events to monitor new services

Posted on 03-07-2024 04:04 PM
ravivittal
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Does anyone have a sample rule they can share with me to track EID 7045 windows events to monitor new services? 

Also any sample rules or pointers you can provide for this detection would be a ton of help.

- Randomized powershell executables - hash is poweshell.exe but file name is different.

Solved Solved
0 3 499
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here is a starter rule that would track new services being created. I'm grouping by the host but clearly there is a lot of additional tweaking that could be done to view by user or service as well as using watchlists(reference lists) or tying into other process executions.

rule new_service_tracking {

  meta:
    author = "Google Cloud Security"
    description = "Identify services being created and by whom"
    platform = "Windows"
    severity = "Low"
    priority = "Low"

  events:
    $service.metadata.event_type = "SERVICE_CREATION"
    $service.metadata.product_name = "Service Control Manager"
    $service.metadata.vendor_name = "Microsoft"
    $service.metadata.product_event_type = "7045"
    $service.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = 10
    $user_initiated = array_distinct($service.principal.user.userid)
    $service_name = array_distinct($service.target.application)
    $service_file_path = array_distinct($service.target.process.file.full_path)

  condition:
    $service
}

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here is a starter rule that would track new services being created. I'm grouping by the host but clearly there is a lot of additional tweaking that could be done to view by user or service as well as using watchlists(reference lists) or tying into other process executions.

rule new_service_tracking {

  meta:
    author = "Google Cloud Security"
    description = "Identify services being created and by whom"
    platform = "Windows"
    severity = "Low"
    priority = "Low"

  events:
    $service.metadata.event_type = "SERVICE_CREATION"
    $service.metadata.product_name = "Service Control Manager"
    $service.metadata.vendor_name = "Microsoft"
    $service.metadata.product_event_type = "7045"
    $service.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = 10
    $user_initiated = array_distinct($service.principal.user.userid)
    $service_name = array_distinct($service.target.application)
    $service_file_path = array_distinct($service.target.process.file.full_path)

  condition:
    $service
}
Jump to Solution

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

You'll want to use the following UDM field (though it's content may vary on the log source). This worked in my environment with NXLog

metadata.product_event_type = "7045"

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ravivittal
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Thank you Google Team, much apprecaited!

Jump to Solution
Top Solution Authors
View all