PowerShell Scripts Installed as Services
Detects powershell script installed as a Service
Sigma rule (View on GitHub)
1title: PowerShell Scripts Installed as Services
2id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
3status: test
4description: Detects powershell script installed as a Service
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
7author: oscd.community, Natalia Shornikova
8date: 2020-10-06
9modified: 2022-12-25
10tags:
11 - attack.execution
12 - attack.t1569.002
13logsource:
14 product: windows
15 service: system
16detection:
17 selection:
18 Provider_Name: 'Service Control Manager'
19 EventID: 7045
20 ImagePath|contains:
21 - 'powershell'
22 - 'pwsh'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- CSExec Service File Creation
- CSExec Service Installation
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Credential Dumping Tools Service Execution - Security