Malicious Service Installations
Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
Sigma rule (View on GitHub)
1title: Malicious Service Installations
2id: cb062102-587e-4414-8efa-dbe3c7bf19c6
3related:
4 - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
5 type: derived
6status: test
7description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
8references:
9 - https://awakesecurity.com/blog/threat-hunting-for-paexec/
10 - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
11 - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
12author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
13date: 2017/03/27
14modified: 2022/10/09
15tags:
16 - attack.persistence
17 - attack.privilege_escalation
18 - attack.t1003
19 - car.2013-09-005
20 - attack.t1543.003
21 - attack.t1569.002
22logsource:
23 product: windows
24 service: security
25 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
26detection:
27 selection:
28 EventID: 4697
29 malsvc_apt29:
30 ServiceName: 'javamtsup'
31 condition: selection and 1 of malsvc_*
32falsepositives:
33 - Unknown
34level: critical
References
Related rules
- CobaltStrike Service Installations - Security
- Code Injection by ld.so Preload
- WMI Persistence - Security
- Loading of Kernel Module via Insmod
- Suspicious Commands by SQL Server