Actionable guide to hunting for the Windows Services abuse by using Group-IB MXDR.
Part 2: Execution of Windows Services
When discussing Windows services and how to hunt for their abuse, it is worth mentioning that several threat hunting hypotheses can be leveraged. This is common in threat hunting in general and for persistence-related techniques in particular.
As a reminder, all our service-related hypotheses can be split into two main groups: Hunting for service creation (aka “establishment” or “installation”) and Hunting for service execution (sometimes after the service is created/established). Each category can also be split into more granular hypotheses for specific threat hunting needs. Our four possible hypotheses, which we established earlier, are:
- Hunting for process command line artifacts of service creation
- Hunting for registry artifacts of service creation
- Hunting for process artifacts of an EXE file executed as a service
- Hunting for process artifacts of a DLL file executed as a service
This post covers hypotheses 3 and 4. They are very similar in nature but require entirely different threat hunting approaches (hypotheses 1 and 2 were covered in the previous Hunting Rituals blog post)...Read More!
