Service Installed By Unusual Client - System
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Sigma rule (View on GitHub)
1title: Service Installed By Unusual Client - System
2id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
3related:
4 - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
5 type: similar
6status: test
7description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022-09-15
12modified: 2023-01-04
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.t1543
17logsource:
18 product: windows
19 service: system
20detection:
21 selection:
22 Provider_Name: 'Service Control Manager'
23 EventID: 7045
24 ProcessId: 0
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under...
Read More
Related rules
- CodeIntegrity - Blocked Driver Load With Revoked Certificate
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation
- KrbRelayUp Service Installation
- PUA - Process Hacker Driver Load
- PUA - System Informer Driver Load