The creation of a Windows service may indicate an adversary establishing persistence on a system. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access or covert operations.
YARA Rule
rule create_service {
meta:
author = "x0r"
description = "Create a windows service"
version = "0.2"
strings:
$f1 = "Advapi32.dll" nocase
$c1 = "CreateService"
$c2 = "ControlService"
$c3 = "StartService"
$c4 = "QueryServiceStatus"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is installing a legitimate Windows service using sc.exe
Filter/Exclusion: Check for the presence of sc.exe in the command line and ensure the service name matches known enterprise services (e.g., Spooler, W3SVC, BITS).
Scenario: A scheduled task is configured to run a script that creates a temporary service for a short duration
Filter/Exclusion: Filter out services created by tasks with a specific task name or scheduled time, or check for the presence of a temporary service flag in the registry.
Scenario: A third-party application (e.g., Microsoft SQL Server) is registering its own Windows service during installation
Filter/Exclusion: Exclude services that match known application service names (e.g., MSSQL$SQLEXPRESS, SQLBrowser) or check the service description field.
Scenario: A developer is using InstallUtil.exe to deploy a .NET service as part of a deployment process
Filter/Exclusion: Filter out services created by InstallUtil.exe or check for the presence of a deployment-related command line argument.
Scenario: A system update or patch process creates a temporary service to perform post-installation tasks
Filter/Exclusion: Exclude services created by known update mechanisms (e.g., WindowsUpdate) or check for the presence of a service description indicating temporary use.