HackTool Service Registration or Execution

calendar Aug 7, 2023 · attack.execution attack.t1569.002 attack.s0029  ·
Share on: linkedin copy

Detects installation or execution of services

Sigma rule (View on GitHub)

 1title: HackTool Service Registration or Execution
 2id: d26ce60c-2151-403c-9a42-49420d87b5e4
 3status: test
 4description: Detects installation or execution of services
 5references:
 6    - Internal Research
 7author: Florian Roth (Nextron Systems)
 8date: 2022/03/21
 9modified: 2023/08/07
10tags:
11    - attack.execution
12    - attack.t1569.002
13    - attack.s0029
14logsource:
15    product: windows
16    service: system
17detection:
18    selection_eid:
19        Provider_Name: 'Service Control Manager'
20        EventID:
21            - 7045
22            - 7036
23    selection_service_name:
24        ServiceName|contains:
25            - 'cachedump'
26            - 'DumpSvc'
27            - 'gsecdump'
28            - 'pwdump'
29            - 'UACBypassedService'
30            - 'WCE SERVICE'
31            - 'WCESERVICE'
32            - 'winexesvc'
33    selection_service_image:
34        ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
35    condition: selection_eid and 1 of selection_service_*
36falsepositives:
37    - Unknown
38level: high

References

Related rules

to-top