In this series of posts, we'll share various product use cases, their importance, and how the product can be used to solve them. In this post, we look at the correlation rule to detect suspicious service installations.
Rule name: Suspicious service installed
What the rule detects: This rule identifies malicious services running on your organization's devices.
Why the rule is useful: At any given time, a Windows machine runs several services, all of which are required to accomplish several essential functions. Since they run in the background, it's easy for malicious services running on your system to go unnoticed. If a malicious insider is able to gain access to a specific target device, they can easily install a malicious service on it. This service can be used to spy on the target device and send activity information or other confidential data back to the attacker. So, it's important to monitor all service installations and detect unauthorized ones.
How the rule works: EventLog Analyzer first detects brute-force entry to a device by checking for several failed logons, followed by a successful logon. If this same user then installs and starts a service on the device, EventLog Analyzer flags this activity as suspicious and alerts you via email or SMS.