Malicious Service Installations

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Sigma rule (View on GitHub)

 1title: Malicious Service Installations
 2id: cb062102-587e-4414-8efa-dbe3c7bf19c6
 3related:
 4    - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
 5      type: derived
 6status: test
 7description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
 8references:
 9    - https://awakesecurity.com/blog/threat-hunting-for-paexec/
10    - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
11    - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
12author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
13date: 2017/03/27
14modified: 2022/10/09
15tags:
16    - attack.persistence
17    - attack.privilege_escalation
18    - attack.t1003
19    - car.2013-09-005
20    - attack.t1543.003
21    - attack.t1569.002
22logsource:
23    product: windows
24    service: security
25    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
26detection:
27    selection:
28        EventID: 4697
29    malsvc_apt29:
30        ServiceName: 'javamtsup'
31    condition: selection and 1 of malsvc_*
32falsepositives:
33    - Unknown
34level: critical

References

Related rules

to-top