Windows.EventLogs.ServiceCreationComspec

Detects the string “COMSPEC” (nocase) in Windows Service Creation (SCM) events. That is: EventID 7045 from the System event log.

This detects many hack tools that use SCM based lateral movement including smbexec.

If VSSAnalysisAge is non-zero then this enables querying VSS instances for the EventLog path, which includes event deduplication.

name: Windows.EventLogs.ServiceCreationComspec
description: |
  Detects the string "COMSPEC" (nocase) in Windows Service
  Creation (SCM) events. That is: EventID 7045 from the System event log.

  This detects many hack tools that use SCM based lateral movement
  including `smbexec`.

  If `VSSAnalysisAge` is non-zero then this enables querying VSS instances for
  the `EventLog` path, which includes event deduplication.

author: Matt Green - @mgreen27

parameters:
  - name: EventLog
    default: C:\Windows\system32\winevt\logs\System.evtx
  - name: ComspecRegex
    default: "(COMSPEC|cmd.exe|ADMIN\\$)"
    type: regex

  - name: VSSAnalysisAge
    type: int
    default: 0
    description: |
      If larger than zero we analyze VSS within this many days
      ago. (e.g 7 will analyze all VSS within the last week).  Note
      that when using VSS analysis we have to use the ntfs accessor
      for everything which will be much slower.

sources:
  - name: ServiceCreation
    query: |
      LET VSS_MAX_AGE_DAYS <= VSSAnalysisAge
      LET Accessor = if(condition=VSSAnalysisAge > 0, then="ntfs_vss", else="auto")

      // Extract all target paths from glob
      LET files = SELECT OSPath
      FROM glob(globs=EventLog, accessor=Accessor)

      // Parse all target files, order by source and add dedupe string
      LET hits = SELECT * FROM foreach(
              row=files,
              query={
                SELECT timestamp(epoch=System.TimeCreated.SystemTime) as EventTime,
                  System.EventID.Value as EventID,
                  System.Computer as Computer,
                  System.Security.UserID as SecurityID,
                  EventData.AccountName as ServiceAccount,
                  EventData.ServiceName as ServiceName,
                  EventData.ImagePath as ImagePath,
                  EventData.ServiceType as ServiceType,
                  EventData.StartType as StartType,
                  System.EventRecordID as EventRecordID,
                  System.Level as Level,
                  System.Opcode as Opcode,
                  System.Task as Task,
                  OSPath AS Source
                FROM parse_evtx(filename=OSPath, accessor=Accessor)
                WHERE System.EventID.Value = 7045 and
                  EventData.ImagePath =~ ComspecRegex
            })
            ORDER BY Source DESC

      SELECT
            EventTime,
            EventID,
            Computer,
            SecurityID,
            ServiceAccount,
            ServiceName,
            ImagePath,
            ServiceType,
            StartType,
            EventRecordID,
            Source
        FROM hits