service_control_manager

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Invoke-Obfuscation RUNDLL LAUNCHER - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation STDIN+ Launcher - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation VAR+ Launcher - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation Via Stdin - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Use Clip - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use MSHTA - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use Rundll32 - System

Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001 ·

Share on:

Detects Obfuscated Powershell via use Rundll32 in Scripts

KrbRelayUp Service Installation

Aug 12, 2024 · attack.privilege-escalation attack.t1543 ·

Share on:

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Mesh Agent Service Installation

Aug 12, 2024 · attack.command-and-control attack.t1219 ·

Share on:

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Aug 12, 2024 · attack.privilege-escalation attack.t1134.001 attack.t1134.002 ·

Share on:

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Moriya Rootkit - System

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1543.003 ·

Share on:

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

NetSupport Manager Service Install

Aug 12, 2024 · attack.persistence ·

Share on:

Detects NetSupport Manager service installation on the target system.

New PDQDeploy Service - Client Side

Aug 12, 2024 · attack.privilege-escalation attack.t1543.003 ·

Share on:

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

New PDQDeploy Service - Server Side

Aug 12, 2024 · attack.privilege-escalation attack.t1543.003 ·

Share on:

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

PAExec Service Installation

Aug 12, 2024 · attack.execution attack.t1569.002 ·

Share on:

Detects PAExec service installation

PowerShell Scripts Installed as Services

Aug 12, 2024 · attack.execution attack.t1569.002 ·

Share on:

Detects powershell script installed as a Service

ProcessHacker Privilege Elevation

Aug 12, 2024 · attack.execution attack.privilege-escalation attack.t1543.003 attack.t1569.002 ·

Share on:

Detects a ProcessHacker tool that elevated privileges to a very high level

PsExec Service Installation

Aug 12, 2024 · attack.execution attack.t1569.002 attack.s0029 ·

Share on:

Detects PsExec service installation and execution events

RemCom Service Installation

Aug 12, 2024 · attack.execution attack.t1569.002 ·

Share on:

Detects RemCom service installation and execution events

Remote Utilities Host Service Install

Aug 12, 2024 · attack.persistence ·

Share on:

Detects Remote Utilities Host service installation on the target system.

RTCore Suspicious Service Installation

Aug 12, 2024 · attack.persistence ·

Share on:

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

Service Installation in Suspicious Folder

Aug 12, 2024 · attack.persistence attack.privilege-escalation car.2013-09-005 attack.t1543.003 ·

Share on:

Detects service installation in suspicious folder appdata

Service Installation with Suspicious Folder Pattern

Aug 12, 2024 · attack.persistence attack.privilege-escalation car.2013-09-005 attack.t1543.003 ·

Share on:

Detects service installation with suspicious folder patterns

Service Installed By Unusual Client - System

Aug 12, 2024 · attack.privilege-escalation attack.t1543 ·

Share on:

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Sliver C2 Default Service Installation

Aug 12, 2024 · attack.execution attack.privilege-escalation attack.t1543.003 attack.t1569.002 ·

Share on:

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

smbexec.py Service Installation

Aug 12, 2024 · attack.lateral-movement attack.execution attack.t1021.002 attack.t1569.002 ·

Share on:

Detects the use of smbexec.py tool by detecting a specific service installation

Suspicious Service Installation

Aug 12, 2024 · attack.persistence attack.privilege-escalation car.2013-09-005 attack.t1543.003 ·

Share on:

Detects suspicious service installation commands

Suspicious Service Installation Script

Aug 12, 2024 · attack.persistence attack.privilege-escalation car.2013-09-005 attack.t1543.003 ·

Share on:

Detects suspicious service installation scripts

TacticalRMM Service Installation

Aug 12, 2024 · attack.command-and-control attack.t1219 ·

Share on:

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Tap Driver Installation

Aug 12, 2024 · attack.exfiltration attack.t1048 ·

Share on:

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Uncommon Service Installation Image Path

Aug 12, 2024 · attack.persistence attack.privilege-escalation car.2013-09-005 attack.t1543.003 ·

Share on:

Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.