If I listed the names of services on your Windows systems, would you be able to determine which ones were real and which ones were fake? Attackers often use fake services designed to act and look like real Windows services but contain malicious files. Is Windows Updates a true Windows service, or is it called “Windows Update” on your computer? Have you taken the time to become aware of what services and processes are normal on the computers in your network?
Create a baseline of Windows services
If you don’t know, you need to create a baseline that shows which services should be in your network. The PowerShell command
get-service is a quick and dirty way to get a list of running services on a system.
When baselining a system, start with the basics. What services are expected to be running on your systems? On server systems in particular, have you taken the time to add monitoring services to alert you when a new service is added to a server system? While workstations may add new services on an irregular basis, services on servers tend not to change often. Monitoring a server for changes in services and critical root directories is a security process you’ll want to consider. You can add Sysmon, for example, to a server to monitor changes on a system.