T1036.004 Masquerade Task or Service Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousServiceNames = dynamic(["Windows Update Security", "Microsoft Network Realtime", "Windows Advanced Task Manager", "Google Chrome Security Update", "Windows Video Service", "Windows Power Efficiency", "System Authorization Service", "Windows Management Help", "Microsoft Support", "Windows User Service"]);
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled"
| where AdditionalFields has_any (SuspiciousServiceNames)
   or AdditionalFields matches regex @"(?i)(svchost|update|security|microsoft|google|chrome|adobe|windows).*service"
| project Timestamp, DeviceName, AccountName, ActionType, AdditionalFields
| sort by Timestamp desc

high severity medium confidence

Data Sources

Service: Service Creation Service: Service Metadata Microsoft Defender for Endpoint

Required Tables

DeviceEvents

False Positives

Legitimate Windows Update-related services installed during OS or feature updates
Third-party security software that creates services with names containing 'Security' or 'Update'
Enterprise software deployment tools (SCCM, Intune) creating services during application installation
Google Chrome, Adobe, and other software creating legitimate update services

Splunk

spl

(index=wineventlog sourcetype="WinEventLog:System" EventCode=7045)
OR (index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentImage="*\\services.exe")
| eval ServiceDisplayName=coalesce(ServiceName, ServiceDisplayName, param1)
| eval SuspiciousName=if(match(lower(ServiceDisplayName), "(windows update security|microsoft network realtime|windows advanced task|google chrome security|windows video service|windows power efficiency|system authorization|windows management help|microsoft support|windows user service)"), 1, 0)
| eval GenericMimic=if(match(lower(ServiceDisplayName), "(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent)"), 1, 0)
| where SuspiciousName=1 OR GenericMimic=1
| table _time, host, User, ServiceDisplayName, ServiceName, Image, CommandLine, ServiceType, StartType
| sort - _time

high severity medium confidence

Data Sources

Service: Service Creation Process: Process Creation Windows System Event ID 7045 Sysmon Event ID 1

Required Sourcetypes

WinEventLog:System XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Windows Update-related services installed during OS or feature updates
Third-party security software that creates services with names containing 'Security' or 'Update'
Enterprise software deployment tools creating services during application installation

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [registry where registry.path : ("HKLM\\SYSTEM\\CurrentControlSet\\Services\\*") and
   registry.data.strings : ("*svchost*", "*update*", "*security*", "*microsoft*", "*google*", "*chrome*", "*adobe*") and
   registry.value : "ImagePath"]
  [process where event.type == "start" and process.parent.name : "services.exe"]

// Alternative flat query for service installation events:
process where event.type == "start" and
  process.parent.name : "services.exe" and
  (
    process.name : ("Windows Update Security*", "Microsoft Network Realtime*", "Windows Advanced Task Manager*",
                    "Google Chrome Security Update*", "Windows Video Service*", "Windows Power Efficiency*",
                    "System Authorization Service*", "Windows Management Help*", "Microsoft Support*",
                    "Windows User Service*") or
    process.args : ("*svchost*service*", "*update*service*", "*security*service*",
                    "*microsoft*service*", "*google*service*", "*chrome*service*", "*adobe*service*")
  )

high severity high confidence

Data Sources

Windows Security Event Log (4697) Sysmon (Event ID 1, 12/13) Elastic Endpoint agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate third-party software installers that create services with names similar to Microsoft or Google products during initial setup
Enterprise software management tools (SCCM, Tanium) that deploy services with generic descriptive names matching the suspicious patterns
Security vendors whose agent services use names containing 'update', 'security', or vendor names like 'Microsoft' legitimately

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  "ServiceName",
  "ServiceFileName",
  "ServiceType",
  "ServiceStartType",
  payload
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 45)
  AND (
    (eventid = 7045 AND (
      LOWER("ServiceName") MATCHES '(windows update security|microsoft network realtime|windows advanced task|google chrome security|windows video service|windows power efficiency|system authorization|windows management help|microsoft support|windows user service)'
      OR LOWER("ServiceName") MATCHES '(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent)'
    ))
    OR
    (eventid = 4697 AND (
      LOWER("ServiceName") MATCHES '(windows update security|microsoft network realtime|windows advanced task|google chrome security|windows video service|windows power efficiency|system authorization|windows management help|microsoft support|windows user service)'
      OR LOWER("ServiceName") MATCHES '(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent)'
    ))
  )
  AND DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY starttime DESC
LIMIT 1000

high severity high confidence

Data Sources

Windows System Event Log (7045) Windows Security Event Log (4697) QRadar WinCollect agent

Required Tables

events

False Positives

Legitimate enterprise patch management tools that register update services under names resembling Microsoft or Google services
Corporate antivirus or EDR solutions that install security-related services with names that match the generic mimic pattern
Custom internal tooling deployed by IT that creates services referencing vendor names in their service identifiers

Sumo Logic CSE

sql

_sourceCategory=windows/system OR _sourceCategory=windows/security
| where EventID in ("7045", "4697")
| parse field=Message "Service Name: *" as ServiceName nodrop
| parse field=Message "Service File Name: *" as ServiceFileName nodrop
| parse field=Message "Account Name: *" as AccountName nodrop
| parse field=Message "Service Type: *" as ServiceType nodrop
| parse field=Message "Start Type: *" as StartType nodrop
| where (
    matches(toLowerCase(ServiceName), ".*windows update security.*") or
    matches(toLowerCase(ServiceName), ".*microsoft network realtime.*") or
    matches(toLowerCase(ServiceName), ".*windows advanced task.*") or
    matches(toLowerCase(ServiceName), ".*google chrome security.*") or
    matches(toLowerCase(ServiceName), ".*windows video service.*") or
    matches(toLowerCase(ServiceName), ".*windows power efficiency.*") or
    matches(toLowerCase(ServiceName), ".*system authorization service.*") or
    matches(toLowerCase(ServiceName), ".*windows management help.*") or
    matches(toLowerCase(ServiceName), ".*microsoft support.*") or
    matches(toLowerCase(ServiceName), ".*windows user service.*") or
    matches(toLowerCase(ServiceName), ".*(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent).*")
  )
| fields _messageTime, Computer, AccountName, ServiceName, ServiceFileName, ServiceType, StartType, EventID
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows System Event Log (7045) Windows Security Event Log (4697) Sumo Logic Windows Event Log source

Required Tables

_sourceCategory=windows/system _sourceCategory=windows/security

False Positives

Software deployment pipelines (Jenkins, Octopus Deploy) installing legitimate services during automated deployments that use descriptive names with product keywords
IT asset management agents that self-register as services under names containing 'Windows', 'Microsoft', or other vendor terms
Development or staging environments where developers test service installations with descriptive names that happen to match suspicious patterns

Google Chronicle / SecOps

yaral

rule masquerade_task_or_service_t1036_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects installation of Windows services with names mimicking legitimate Microsoft, Google, or Adobe services — MITRE ATT&CK T1036.004"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.004"
    reference = "https://attack.mitre.org/techniques/T1036/004/"
    false_positives = "Legitimate enterprise software with generic service names"

  events:
    $e.metadata.event_type = "SERVICE_MODIFICATION"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    (
      re.regex($e.target.resource.name,
        `(?i)(windows update security|microsoft network realtime|windows advanced task manager|google chrome security update|windows video service|windows power efficiency|system authorization service|windows management help|microsoft support|windows user service)`
      )
      or
      re.regex($e.target.resource.name,
        `(?i)(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent)`
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Security Event Log via Chronicle ingestion Chronicle UDM normalized events Google Chronicle SIEM

Required Tables

UDM events with metadata.event_type = SERVICE_MODIFICATION

False Positives

Legitimate Windows servicing stack components installed by Windows Update that use internally similar naming conventions to the suspicious name list
Third-party security software (endpoint protection, DLP agents) that installs services with names closely resembling Microsoft component naming patterns
Corporate IT automation scripts that install network or management agents with descriptive service names containing vendor product keywords

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Falcon) — Masqueraded Service Installation T1036.004
#event_simpleName = ServiceInstall
| regex(field=ServiceDisplayName, regex="(?i)(windows update security|microsoft network realtime|windows advanced task manager|google chrome security update|windows video service|windows power efficiency|system authorization service|windows management help|microsoft support|windows user service)", as=KnownSuspiciousName)
| regex(field=ServiceDisplayName, regex="(?i)(svchost|update|security|microsoft|google|chrome|adobe).*(service|task|helper|agent)", as=GenericMimicName)
| where KnownSuspiciousName = true OR GenericMimicName = true
| table([timestamp, ComputerName, UserName, ServiceDisplayName, ServiceImagePath, ServiceObjectName, ServiceType, ServiceStartType])
| sort(timestamp, order=desc)

// Alternative: catch masquerade via process ancestry (services.exe spawning unexpected children)
// #event_simpleName = ProcessRollup2
// | where ParentBaseFileName = "services.exe"
// | regex(field=ImageFileName, regex="(?i)(windows update|microsoft network|google chrome|system authorization|windows management)", as=MimickedBinary)
// | where MimickedBinary = true
// | groupBy([ComputerName, UserName, ImageFileName, CommandLine], function=count())

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ServiceInstall events) CrowdStrike Falcon ProcessRollup2 events Falcon Data Replicator (FDR)

Required Tables

#event_simpleName = ServiceInstall #event_simpleName = ProcessRollup2

False Positives

Legitimate CrowdStrike sensor updates or other Falcon platform components that may install or update service registrations with names matching the generic pattern
Enterprise MDM or endpoint management platforms (Ivanti, ManageEngine) that register management agent services with names containing 'Windows', 'Update', or 'Security'
Software with OEM or white-labeled components that adopt Microsoft or Google product naming conventions in their service identifiers during installation

Masquerade Task or Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections