service_control_manager | Detection.FYI

smbexec.py Service Installation

Nov 10, 2023 · attack.lateral_movement attack.execution attack.t1021.002 attack.t1569.002 ·
Share on:

Detects the use of smbexec.py tool by detecting a specific service installation

Read More
Service Installed By Unusual Client - System

Nov 2, 2023 · attack.privilege_escalation attack.t1543 ·
Share on:

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Read More
Important Windows Service Terminated Unexpectedly

Oct 18, 2023 · attack.defense_evasion ·
Share on:

Detects important or interesting Windows services that got terminated unexpectedly.

Read More
Important Windows Service Terminated With Error

Oct 18, 2023 · attack.defense_evasion ·
Share on:

Detects important or interesting Windows services that got terminated for whatever reason

Read More
Invoke-Obfuscation CLIP+ Launcher - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More
Invoke-Obfuscation COMPRESS OBFUSCATION - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More
Invoke-Obfuscation RUNDLL LAUNCHER - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More
Invoke-Obfuscation STDIN+ Launcher - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of stdin to execute PowerShell

Read More
Invoke-Obfuscation VAR+ Launcher - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More
Invoke-Obfuscation Via Stdin - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Read More
Invoke-Obfuscation Via Use Clip - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More
Invoke-Obfuscation Via Use MSHTA - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More
Invoke-Obfuscation Via Use Rundll32 - System

Oct 18, 2023 · attack.defense_evasion attack.t1027 attack.execution attack.t1059.001 ·
Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More
Meterpreter or Cobalt Strike Getsystem Service Installation - System

Oct 18, 2023 · attack.privilege_escalation attack.t1134.001 attack.t1134.002 ·
Share on:

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More
New PDQDeploy Service - Server Side

Oct 18, 2023 · attack.privilege_escalation attack.t1543.003 ·
Share on:

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Read More
Remote Utilities Host Service Install

Oct 18, 2023 · attack.persistence ·
Share on:

Detects Remote Utilities Host service installation on the target system.

Read More
Windows Defender Threat Detection Disabled - Service

Oct 18, 2023 · attack.defense_evasion attack.t1562.001 ·
Share on:

Detects the "Windows Defender Threat Protection" service has been disabled

Read More
Anydesk Remote Access Software Service Installation

Oct 17, 2023 · attack.persistence ·
Share on:

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Read More
Credential Dumping Tools Service Execution - System

Oct 17, 2023 · attack.credential_access attack.execution attack.t1003.001 attack.t1003.002 attack.t1003.004 attack.t1003.005 attack.t1003.006 attack.t1569.002 attack.s0005 ·
Share on:

Detects well-known credential dumping tools execution via service execution events

Read More
Invoke-Obfuscation Obfuscated IEX Invocation - System

Oct 17, 2023 · attack.defense_evasion attack.t1027 ·
Share on:

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Read More
KrbRelayUp Service Installation

Oct 17, 2023 · attack.privilege_escalation attack.t1543 ·
Share on:

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Read More
Mesh Agent Service Installation

Oct 17, 2023 · attack.command_and_control attack.t1219 ·
Share on:

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Read More
Moriya Rootkit - System

Oct 17, 2023 · attack.persistence attack.privilege_escalation attack.t1543.003 ·
Share on:

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Read More
NetSupport Manager Service Install

Oct 17, 2023 · attack.persistence ·
Share on:

Detects NetSupport Manager service installation on the target system.

Read More
New PDQDeploy Service - Client Side

Oct 17, 2023 · attack.privilege_escalation attack.t1543.003 ·
Share on:

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Read More
New Service Uses Double Ampersand in Path

Oct 17, 2023 · attack.defense_evasion attack.t1027 ·
Share on:

Detects a service installation that uses a suspicious double ampersand used in the image path value

Read More
PAExec Service Installation

Oct 17, 2023 · attack.execution attack.t1569.002 ·
Share on:

Detects PAExec service installation

Read More
RTCore Suspicious Service Installation

Oct 17, 2023 · attack.persistence ·
Share on:

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

Read More
Service Installation in Suspicious Folder

Oct 17, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003 ·
Share on:

Detects service installation in suspicious folder appdata

Read More
Sliver C2 Default Service Installation

Oct 17, 2023 · attack.execution attack.privilege_escalation attack.t1543.003 attack.t1569.002 ·
Share on:

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

Read More
Suspicious Service Installation Script

Oct 17, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003 ·
Share on:

Detects suspicious service installation scripts

Read More
TacticalRMM Service Installation

Oct 17, 2023 · attack.command_and_control attack.t1219 ·
Share on:

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Read More
CSExec Service Installation

Aug 10, 2023 · attack.execution attack.t1569.002 ·
Share on:

Detects CSExec service installation and execution events

Read More
PsExec Service Installation

Aug 8, 2023 · attack.execution attack.t1569.002 attack.s0029 ·
Share on:

Detects PsExec service installation and execution events

Read More
RemCom Service Installation

Aug 8, 2023 · attack.execution attack.t1569.002 ·
Share on:

Detects RemCom service installation and execution events

Read More
HackTool Service Registration or Execution

Aug 7, 2023 · attack.execution attack.t1569.002 attack.s0029 ·
Share on:

Detects installation or execution of services

Read More
Remote Access Tool Services Have Been Installed - System

Jun 21, 2023 · attack.persistence attack.t1543.003 attack.t1569.002 ·
Share on:

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Read More
Windows Service Terminated With Error

Jun 21, 2023 · attack.defense_evasion ·
Share on:

Detects Windows services that got terminated for whatever reason

Read More
CobaltStrike Service Installations - System

Apr 14, 2023 · attack.execution attack.privilege_escalation attack.lateral_movement attack.t1021.002 attack.t1543.003 attack.t1569.002 ·
Share on:

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Read More
PowerShell Scripts Installed as Services

Apr 14, 2023 · attack.execution attack.t1569.002 ·
Share on:

Detects powershell script installed as a Service

Read More
ProcessHacker Privilege Elevation

Apr 14, 2023 · attack.execution attack.privilege_escalation attack.t1543.003 attack.t1569.002 ·
Share on:

Detects a ProcessHacker tool that elevated privileges to a very high level

Read More
Service Installation with Suspicious Folder Pattern

Apr 14, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003 ·
Share on:

Detects service installation with suspicious folder patterns

Read More
Tap Driver Installation

Apr 14, 2023 · attack.exfiltration attack.t1048 ·
Share on:

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Read More