18. ServiceCheck

The ServiceCheck module evaluates all registered local Windows services. It detects suspicious service entries by different anomaly checks, blacklisted keywords and reports file path anomalies.

18.1. Samples

Aug 1 15:14:26 server88.localnet/192.168.2.4
THOR: Warning: MODULE: ServiceCheck
MESSAGE: Service started from typical attacker location
KEY: srvany
SERVICE_NAME: srvany
IMAGE_PATH: c:\srvany.exe
SHA1: 7c5329229042535fe56e74f1f246c6da8cea3be8
START_TYPE: unknown
USER: LocalSystem
SCORE: 75
Jul 1 11:52:41 server77.local.net/10.10.9.19
THOR: Warning: MODULE: ServiceCheck
MESSAGE: Service started from suspected attacker location
KEY: cpuz139
SERVICE_NAME: cpuz139
IMAGE_PATH: \??\C:\Users\u23491\AppData\Local\Temp\cpuz139\cpuz139_x64.sys
SHA1: 13df48ab4cd412651b2604829ce9b61d39a791bb
START_TYPE: ONDEMAND_START
USER:
SCORE: 75
Nov 20 11:44:52 PROMETHEUS/10.0.2.4
THOR: Warning: MODULE: ServiceCheck
MESSAGE: YARA Rule Match in service
STRING: loadersvc - {993B4A05-7C9E-4DA7-9052-4192A3B96F21} - C:\Testing\uixvd.exe
NAME: Malicious_Keylogger_Service_Driver
SCORE: 65
DESCRIPTION: Detects malicious keylogger service driver - loadersvc
REF: -
MATCHED_STRINGS:
        Str1: loadersvc
KEY: loadersvc
SERVICE_NAME: {993B4A05-7C9E-4DA7-9052-4192A3B96F21}
IMAGE_PATH: C:\Testing\uixvd.exe
MODIFIED: 2017-03-17T10:53:51.143664
SHA1: -
START_TYPE: ONDEMAND_START
USER: LocalSystem

18.2. Typical False Positives

  • Legitimate software with service binaries located in suspicious folders (e.g. the user's %AppData% folder)

  • Services with matching regular expression file name IOCs

  • Services registered by administrators in suspicious locations (e.g. C:\srvany.exe)

18.3. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

ELEMENT

See chapter File Path Checks

MD5/SHA1/SHA256

See chapter Hash Checks for generic checks on hashes

SERVICE_NAME

Is the service name a random ID? (e.g. 98ncjs87e, {993B4A05-7C9E-4DA7-9052-4192A3B96F21})

Yes

Bad

Medium

START_TYPE

Is the start-type ONDEMAND*?

Yes

Good

Low

MODIFIED

Has the service been modified in a suspicious time frame? (Sunday night between 00:00 am and 06:00 am)

Yes

Bad

Medium

MESSAGE

Does a YARA rule match on the service entry?

Yes

Bad

Medium