Windows CobaltStrike service installations
Goal
Detects instances where a Cobalt Strike beacon is installed as a Windows service.
Strategy
This detection monitors Windows System event logs for Event ID 7045 (A new service was installed in the system), focused on service installation patterns common to Cobalt Strike deployments.
Cobalt Strike is a commercial penetration testing tool that is frequently abused by threat actors for post-exploitation activities. Its beacons often use specific patterns when installed as services, including encoded PowerShell commands, suspicious paths, and network communication techniques.
Triage & Response
- Identify the
{{host}} system where the suspicious service was installed. - Review the service details, including service name, path, and account under which it’s configured to run.
- Extract the binary path from the event logs and check if it points to a non-standard location.
- Identify the user or process that installed the service by correlating with Event ID 4697.
- Verify if the service is running with SYSTEM privileges or an unexpected user account.
- Analyze the service binary using file reputation services or malware analysis tools.
- Correlate with other suspicious activity by examining PowerShell logs, process creation events, and network connections.
- Look for related indicators such as new user account creation or users added to admin groups.
- Stop and disable the service using the Service Control Manager if malicious activity is confirmed.
- Remove the service binary and check for additional persistence mechanisms.
- Investigate potential lateral movement by reviewing network share access and logon events.
- Isolate the affected system until remediation is complete to prevent further lateral movement.
