Service Installed By Unusual Client - System
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Sigma rule (View on GitHub)
1title: Service Installed By Unusual Client - System
2id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
3related:
4 - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
5 type: similar
6status: test
7description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022/09/15
12modified: 2023/01/04
13tags:
14 - attack.privilege_escalation
15 - attack.t1543
16logsource:
17 product: windows
18 service: system
19detection:
20 selection:
21 Provider_Name: 'Service Control Manager'
22 EventID: 7045
23 ProcessId: 0
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- Service Installed By Unusual Client - Security
- PUA - Process Hacker Execution
- KrbRelayUp Service Installation
- Driver Load From A Temporary Directory
- Potential Shellcode Injection