Detection: Windows Service Create RemComSvc

Updated Date: 2024-11-13 ID: 0be4b5d6-c449-4084-b945-2392b519c33b Author: Michael Haag, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects the creation of the RemComSvc service on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It leverages Windows EventCode 7045 from the System event log, specifically looking for the "RemCom Service" name. This activity is significant as it often signifies unauthorized lateral movement within the network, which is a common tactic used by attackers to spread malware or gain further access. If confirmed malicious, this could lead to unauthorized access to sensitive systems, data exfiltration, or further compromise of the network.

Search

1`wineventlog_system` EventCode=7045 ServiceName="RemCom Service" 
2| stats count min(_time) as firstTime max(_time) as lastTime by dest ImagePath ServiceName ServiceType   
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| `windows_service_create_remcomsvc_filter`

Data Source

Name	Platform	Sourcetype	Source
Windows Event Log System 7045	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:System'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_service_create_remcomsvc_filter	`search *`

windows_service_create_remcomsvc_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1543.003	Windows Service	Persistence
T1543	Create or Modify System Process	Privilege Escalation

Exploitation

Installation

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended.

Known False Positives

False positives may be present, filter as needed based on administrative activity.

Associated Analytic Story

Active Directory Discovery

Risk Based Analytics (RBA)

Risk Message:

A new service was created related to RemCom on $dest$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	32	No Threat Objects

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:System`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:System`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 4