KQL Search

Query Details

HomeAI ToolsDevice Query

Servince Install

Query


name: Execution, Indicators of usage of winexe for lateral movement
description: Detects service install of winexe remote admion tool
references: https://attack.mitre.org/software/S0191/,https://community.netwitness.com/t5/netwitness-community-blog/detecting-lateral-movement-in-rsa-netwitness-winexe/ba-p/520480
tags: Execution, S0191
search_query: 
(DeviceEvents
| where ActionType == 'ServiceInstalled'
| extend parsed = parse_json(AdditionalFields)
| where parsed.ServiceName has ("winexesvc")
Notes:

Explanation

This query is designed to detect the installation of a service associated with the "winexe" remote administration tool, which can be used for lateral movement within a network. Here's a breakdown of what the query does:

  1. Source: It looks at DeviceEvents, which are records of various actions performed on devices.
  2. Filter by ActionType: It filters these events to only include those where the ActionType is 'ServiceInstalled', indicating a new service has been installed.
  3. Parse Additional Fields: It extracts additional information from the AdditionalFields column by parsing it as JSON.
  4. Check for winexe Service: It then checks if the parsed ServiceName contains "winexesvc", which is the service name used by the winexe tool.

In summary, this query identifies instances where the winexe tool has been installed as a service on a device, which could indicate potential lateral movement activity within the network.

Details

Ali Hussein profile picture

Ali Hussein

Released: January 24, 2024

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

==|extendparse_jsonhas

Actions