New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
Sigma rule (View on GitHub)
1title: New PDQDeploy Service - Server Side
2id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
3status: test
4description: |
5 Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
6 PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
7references:
8 - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/22
11tags:
12 - attack.privilege_escalation
13 - attack.t1543.003
14logsource:
15 product: windows
16 service: system
17detection:
18 selection_root:
19 Provider_Name: 'Service Control Manager'
20 EventID: 7045
21 selection_service:
22 - ImagePath|contains: 'PDQDeployService.exe'
23 - ServiceName:
24 - 'PDQDeploy'
25 - 'PDQ Deploy'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate use of the tool
29level: medium
References
Related rules
- Vulnerable HackSys Extreme Vulnerable Driver Load
- Moriya Rootkit - System
- New Kernel Driver Via SC.EXE
- New PDQDeploy Service - Client Side
- Sliver C2 Default Service Installation