PowerShell Scripts Installed as Services - Security
Detects powershell script installed as a Service
Sigma rule (View on GitHub)
1title: PowerShell Scripts Installed as Services - Security
2id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
3related:
4 - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
5 type: derived
6status: test
7description: Detects powershell script installed as a Service
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
10author: oscd.community, Natalia Shornikova
11date: 2020-10-06
12modified: 2022-11-29
13tags:
14 - attack.execution
15 - attack.t1569.002
16logsource:
17 product: windows
18 service: security
19 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
20detection:
21 selection:
22 EventID: 4697
23 ServiceFileName|contains:
24 - 'powershell'
25 - 'pwsh'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…
Read More
Related rules
- CSExec Service File Creation
- CSExec Service Installation
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Credential Dumping Tools Service Execution - Security