eG Monitoring
 

Measures reported by ScrtySrvceChecksTest

Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks. An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as, this could result in privilege escalation. This privilege escalation helps malicious attackers in elevating their privileges from initial access (typically, standard User or application account) to Administrator, root, or even full system access, on Windows referred to as NT Authority\System. Hence, it is very crucial to keep vigil on the Windows services, and alert administrators of any potential security threats.

The ScrtySrvceChecksTest monitors the Windows service logs and tracks the number of recently installed programs and services. This test also reports the number of services that were disabled but are still found to be running. In addition, this test helps administrators to keep an eye on the number of Windows services with vulnerable permissions and unquoted Windows services. This way, administrators are promptly alerted to any possible malicious attacks and thus they can proactively eliminate any security threat before it leads to catastrophic outcome.

Outputs of the test : One set of results for the Windows host being monitored.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
newPrgrms Indicates the number of programs that were recently installed. Number The detailed diagnosis of this measure provide details of the Service name, and identified time.
newSrvcs Indicates the number of Windows services that were recently installed. Number
rnngDsbldSrvcs Indicates the number of disabled services, configured in Services to be Disabled parameter, that are running. Number
inscrWndwsSrvcs Indicates the number of services with weak or vulnerable permissions. Number The detailed diagnosis of this measure provide details of the Service name, identified time, image path with arguments, and start mode.
unqtdWndwsSrvcs Indicates the number of unquoted windows services. Number When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.

The detailed diagnosis of this measure provide details of the Service name, identified time, image path with arguments, and start mode.