PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

Sigma rule (View on GitHub)

 1title: PowerShell Scripts Installed as Services - Security
 2id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
 3related:
 4    - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
 5      type: derived
 6status: test
 7description: Detects powershell script installed as a Service
 8references:
 9    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
10author: oscd.community, Natalia Shornikova
11date: 2020/10/06
12modified: 2022/11/29
13tags:
14    - attack.execution
15    - attack.t1569.002
16logsource:
17    product: windows
18    service: security
19    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
20detection:
21    selection:
22        EventID: 4697
23        ServiceFileName|contains:
24            - 'powershell'
25            - 'pwsh'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top