Create your own Windows services anomaly detection script in Python to detect a common technique used by real hackers to gain persistence on your computers. By running a program as a service the program gains persistence – the ability to keep running even if the computer is rebooted. The ability to detect which services are found on your system and which of the many services present some kind of anomaly that warrants a closer inspection is a must.
Create your own Windows services anomaly detection script
After creating your own Windows processes anomaly detection tool and a Windows DLL anomaly detection script now the time has come to investigate your services.
List all services with PowerShell
To list all services, not just the running but also the stopped services, with PowerShell simply execute the following:
PS C:\> Get-Service
By running this command you will get a list similar to what is depicted in the image above. If you execute the command you can identify all services on the system, their names and their status. However, this list is long and hard to glance over and say that a service does not belong. Finding an anomaly simply by reading this list is not a reasonable strategy.
LAB: write your own Windows service anomaly detection tool in Python
To be able to detect service anomalies the following LAB will expand on this information and process more useful data in order to present anomalies to you that may warrant further investigation.
The service anomaly detection script will be capable of
- Alerting on services leading to a suspicious executable based on location
- Alerting on services with invalid certificates or non-whitelisted signers.
- Ideas on feature improvements that you should try to develop yourself to learn and get better
Start the lab at https://bowtiedguppy.substack.com/p/windows-services-anomaly-detection
What is Windows service anomaly detection
Read more about what anomaly detection is and the other threat detection methods here: Treat Detection Methods. The short summary is that you want to detect outliers in your services. Something that stands out from the normal and might be malicious.
What is a service
A service is Windows’ answer to handle background functions. A service can be set up to execute a specified program with the permissions of a specific user or an administrator. The service can be configured to auto start on system startup and will then run in the background forever until otherwise configured. You as a end user will not necessarily have anything to do with the services executing on your system beyond maybe accepting that they will start running the first time.
Why Windows service anomaly detection
In one way service anomaly detection is covered by process anomaly detection since services do run as processes and are normally identified with services.exe as parent. Windows services might have svchost.exe as parent. The reason why you would want to look at services as its own category separate from processes is that by running a process as a service it gains persistence.
You also detect currently paused or stopped services, non running processes which would otherwise never show up in the process tree since they are not running. This might give indications of what have happened on a system.
Persistence via running as a service
Not for all but for many malicious processes one early goal is to get persistence on the device they have infected. In other words to get the ability to keep going even after a restart. Achieving persistence can be done in different ways but one of them is by running as a service.
Read more about service persistence on Mitre‘s att&ack framework. This is what makes anomalies in services so interesting to detect. This is a technique that attackers frequently utilize for persistence and thus something we want to monitor.
Real example where service anomaly detection would help
For example, one attack by APT41 a Chinese state sponsored group’s covered by Mandiant did use services as one of their persistence methods. They got persistence for their Cobalt Strike DLL by running it as a service.
If even highly equipped and well funded groups do use services for persistence it is worth our while to dig into our running services and their anomalies. If you are interested in detecting anomalies and learning more but are not interested in coding your own tool there exists good ways to do manual Windows anomaly detection
