Windows Service Events

[k2niner]

Windows Service activity doesn't cleanly map. May need to add a class to Windows Profile or modify Process Activity [1007].

From OMB M-21-31 (for Windows Logging):

• Service Status Changes (Start, Stop, Fail, Restart, etc.)
• Service Failures and Restarts
• Process Creation and Termination

[mikeradka]

Following thorough deliberation in recent System Activity meetings, we've concluded that the current class set is insufficient for capturing Windows Service events.

Our proposed action is to draft a pull request (PR) to integrate a dedicated Windows Service Events class into the Windows Extension.

[mikeradka]

Note: we could also look into windows service modifications

[davemcatcisco]

I didn't see this issue before. T1543.003 ("Create or Modify System Process: Windows Service") is one of the most commonly used sub-techniques for achieving the Persistence and Privilege Escalation tactics on Windows. It is crucial that we can adequately express this, and I agree with Mike that it should be a dedicated event in the System Activity category in the Windows extension. The event should be able to express anything that happen to a service, i.e.

• Create
• Change Config
• Control (incl. start, stop, etc.)
• Delete

I'm going to create a draft PR for this to drive the discussion.