New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
Sigma rule (View on GitHub)
1title: New PDQDeploy Service - Server Side
2id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
3status: test
4description: |
5 Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
6 PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
7references:
8 - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-07-22
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1543.003
15logsource:
16 product: windows
17 service: system
18detection:
19 selection_root:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 selection_service:
23 - ImagePath|contains: 'PDQDeployService.exe'
24 - ServiceName:
25 - 'PDQDeploy'
26 - 'PDQ Deploy'
27 condition: all of selection_*
28falsepositives:
29 - Legitimate use of the tool
30level: medium
References
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE