Windows service logs (Event ID 7045) are generated when new services are created on the local Windows machine. These events can be monitored to identify attempted backdoor service installation via PowerShell command strings in the Service File Name field. Services created with PowerShell commands, including base64 encoded data and the ‘-e’ or ‘-EncodedCommand’ switches, warrant further investigation.
- An attacker compromises a target Windows server machine via an exploited vulnerability.
- The attacker creates a service which will execute an encoded PowerShell command.
- When the service is started, it installs or runs a process that will backdoor the system or similar malicious activity.
Service installation is a post-compromise action and requires the attacker to have otherwise gained access to the system locally or remotely via exploited vulnerabilities.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.