Elastic Security Detection Rules

Remote Windows Service Installed

Last updated 2 months ago on 2025-11-14
Created 3 years ago on 2022-08-30

About

Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators."
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Lateral MovementTactic: PersistenceData Source: Windows Security Event LogsLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Lateral Movement (TA0008)(external, opens in a new tab or window)

Remote Services (T1021)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

Create or Modify System Process (T1543)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-system.security*logs-windows.forwarded*winlogbeat-*
Related Integrations

system(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query
text code block:
sequence by winlog.logon.id, winlog.computer_name with maxspan=1m
[authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.logon.type : "Network" and
 event.outcome == "success" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1"]
[iam where host.os.type == "windows" and event.action == "service-installed" and
 not winlog.event_data.SubjectLogonId : "0x3e7" and
 not winlog.event_data.ServiceFileName :
               ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe",
                "?:\\Windows\\System32\\VSSVC.exe",
                "?:\\Windows\\servicing\\TrustedInstaller.exe",
                "?:\\Windows\\System32\\svchost.exe",
                "?:\\Program Files (x86)\\*.exe",
                "?:\\Program Files\\*.exe",
                "?:\\Windows\\PSEXESVC.EXE",
                "?:\\Windows\\System32\\sppsvc.exe",
                "?:\\Windows\\System32\\wbem\\WmiApSrv.exe",
                "?:\\WINDOWS\\RemoteAuditService.exe",
                "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe",
                "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe",
                "?:\\Windows\\CAInvokerService.exe",
                "?:\\Windows\\System32\\upfc.exe",
                "?:\\Windows\\AdminArsenal\\PDQ*.exe",
                "?:\\Windows\\System32\\vds.exe",
                "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe",
                "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe",
                "?:\\Windows\\System32\\certsrv.exe",
                "?:\\Windows\\eset-remote-install-service.exe",
                "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
                "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe",
                "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe",
                "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe",
                "?:\\Windows\\System32\\taskhostex.exe")]

Install detection rules in Elastic Security

Detect Remote Windows Service Installed in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).