← Library
splApache-2.0from splunk/security_content

Randomly Generated Windows Service Name

The following analytic detects the installation of a Windows Service with a suspicious, high-entropy name, indicating potential malicious activity. It leverages Event ID 7045 and the `ut_shannon` function from the URL ToolBox Splunk application to identify services with random names. This behavior is significant as adversaries often use randomly named services for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/randomly_generated_windows_service_name.yml
`wineventlog_system` EventCode=7045
  | lookup ut_shannon_lookup word as Service_Name
  | where ut_shannon > 3
  | table EventCode ComputerName Service_Name ut_shannon Service_Start_Type Service_Type Service_File_Name
  | `randomly_generated_windows_service_name_filter`