Service Installed By Unusual Client - Security

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Sigma rule (View on GitHub)

 1title: Service Installed By Unusual Client - Security
 2id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
 3related:
 4    - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
 5      type: similar
 6status: test
 7description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
 8references:
 9    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
10    - https://twitter.com/SBousseaden/status/1490608838701166596
11author: Tim Rauch
12date: 2022/09/15
13modified: 2023/01/04
14tags:
15    - attack.privilege_escalation
16    - attack.t1543
17logsource:
18    service: security
19    product: windows
20    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
21detection:
22    selection:
23        EventID: 4697
24    selection_pid:
25        - ClientProcessId: 0
26        - ParentProcessId: 0
27    condition: all of selection*
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top