Query Details
Service Creation IDE
Query
Tags:
Query:
IdentityDirectoryEvents
| where ActionType contains "Service creation"
| extend parsed = parse_json(AdditionalFields)
| where parsed.ServiceCommand has_any ('comspec', 'btobto', 'psexe', 'powershell', 'cmd', 'systemroot' 'admin$')
References:
False positives:
Explanation
This query is searching through identity directory events to find instances where a service was created. It then looks into additional details of these events to check if the service creation command involves any of the following terms: 'comspec', 'btobto', 'psexe', 'powershell', 'cmd', 'systemroot', or 'admin$'.
In simple terms, the query is identifying suspicious service creation activities that might indicate malicious behavior by checking for specific command terms commonly associated with such activities.
Details
Ali Hussein
Released: September 13, 2023
Tables
IdentityDirectoryEvents
Keywords
Identity
Operators
containsextendparse_jsonwherehas_any