New PDQDeploy Service - Server Side

calendar Oct 18, 2023 · attack.privilege_escalation attack.t1543.003  ·
Share on: linkedin copy

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Sigma rule (View on GitHub)

 1title: New PDQDeploy Service - Server Side
 2id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
 3status: test
 4description: |
 5    Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
 6    PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines    
 7references:
 8    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/22
11tags:
12    - attack.privilege_escalation
13    - attack.t1543.003
14logsource:
15    product: windows
16    service: system
17detection:
18    selection_root:
19        Provider_Name: 'Service Control Manager'
20        EventID: 7045
21    selection_service:
22        - ImagePath|contains: 'PDQDeployService.exe'
23        - ServiceName:
24              - 'PDQDeploy'
25              - 'PDQ Deploy'
26    condition: all of selection_*
27falsepositives:
28    - Legitimate use of the tool
29level: medium

References

  •  Help for PDQ Deploy FORUMS VIDEOS BLOG


    Read More

Related rules

to-top