Services

Analyzing Malicious Service Activity in Windows Systems

Attackers often exploit Windows services to maintain persistence, execute malicious code, or disable security mechanisms. A thorough analysis of service-related activities is critical in identifying such threats.

Key Areas to Investigate

  1. Newly Created or Modified Services

  2. Disabled Security Services

1. Detecting Newly Created or Modified Services

How Attackers Leverage Services:

  • Create new services with legitimate-sounding names (e.g., "Chrome Update").

  • Modify existing services to execute malicious commands or scripts.

Detection via Event Logs:

Event ID 4697: A service was installed in the system.

Steps:

  1. Open Event Viewer.

  2. Navigate to:

    Applications and Services Logs -> Microsoft -> Windows -> Security -> Security.evtx

  3. Filter by Event ID 4697:

    • Review the following fields in the log:

      • Service Name: Check for names mimicking legitimate services.

      • Executable Path: Validate the path to ensure the service binary is not located in suspicious directories (e.g., C:\Temp\ or C:\Users\Public).

Example: A newly installed service ChromeUpdate points to C:\Temp\malicious.exe. This is likely malicious, as Chrome’s update service typically resides in C:\Program Files.

2. Identifying Disabled Security Services

Why Attackers Disable Security Services:

  • To bypass protection mechanisms such as antivirus, firewall, and Windows Defender.

Detection via Event Logs:

Event IDs:

  • 7036: A service entered the stopped state.

  • 7045: A service was installed in the system.

Steps:

  1. Open Event Viewer.

  2. Navigate to:

    Applications and Services Logs -> Microsoft -> Windows -> System -> System.evtx

  3. Filter by Event IDs 7036 and 7045:

    • Identify critical services that have been stopped unexpectedly (e.g., Windows Defender, Firewall).

Example: Logs show that Windows Defender was stopped shortly before suspicious network activity. This indicates the attacker may have disabled it to run malware without detection.

Service Analysis Tools

1. Autoruns (Sysinternals Tool)

  • Purpose: Detect auto-starting services and persistence mechanisms.

Steps:

  1. Run Autoruns as Administrator.

  2. Go to the Services tab.

  3. Investigate:

    • Unfamiliar service names.

    • Unsigned services or those with no publisher information.

2. Command Line (CMD or PowerShell)

Using CMD:

sc query state= all

  • Lists all services, including their state (running or stopped).

Using PowerShell:

Get-Service | Where-Object {$_.Status -eq 'Stopped'}

  • Filters and lists all stopped services. Review why these were stopped, especially if they are critical security services.

Analyzing Deleted or Hidden Services

Attackers may delete services after use to evade detection. Logs can help trace these actions.

Log Sources:

  1. Task Scheduler Logs: Trace services scheduled to run periodically.

  2. Security Logs:

    • Event ID 4698: Service creation.

    • Event ID 4702: Service modification.

Example: A service named TempUpdater was created and later deleted. Reviewing logs revealed it executed a script that established a reverse shell.

Eradication and Mitigation

  1. Stop Malicious Services:

    sc stop <service_name>

  2. Disable the Service:

    sc config <service_name> start= disabled

  3. Delete the Service:

    sc delete <service_name>

  4. Remove Malicious Executables: Delete associated binaries:

    del C:\Temp\malicious.exe

  5. Enable Critical Security Services: Re-enable services like Windows Defender and Firewall:

    sc start windefend
sc start mpssvc

Key Takeaways

  • Persistence via Services: Attackers create or modify services to maintain long-term access.

  • Disabled Security Services: A common tactic to evade detection.

  • Critical Event IDs:

    • 4697: Service installation.

    • 7036: Service stopped.

    • 7045: Service installed.

Recommended Action Steps:

  1. Regularly review service-related logs.

  2. Investigate newly created services and validate their file paths.

  3. Monitor stopped critical services for signs of malicious activity.

  4. Use Autoruns and PowerShell for comprehensive service analysis.

By employing these methods, incident responders can effectively detect and neutralize threats involving malicious Windows services.

PreviousTask SchedulerNextRegistry Run Keys / Startup Folder

Last updated