Suspicious Service Installation

Detects suspicious service installation commands

Sigma rule (View on GitHub)

 1title: Suspicious Service Installation
 2id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
 3related:
 4    - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
 5      type: obsolete
 6    - id: 26481afe-db26-4228-b264-25a29fe6efc7
 7      type: similar
 8status: test
 9description: Detects suspicious service installation commands
10references:
11    - Internal Research
12author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
13date: 2022-03-18
14modified: 2023-12-04
15tags:
16    - attack.persistence
17    - attack.privilege-escalation
18    - car.2013-09-005
19    - attack.t1543.003
20logsource:
21    product: windows
22    service: system
23detection:
24    selection:
25        Provider_Name: 'Service Control Manager'
26        EventID: 7045
27        ImagePath|contains:
28            - ' -nop '
29            - ' -sta '
30            - ' -w hidden '
31            - ':\Temp\'
32            - '.downloadfile(' # PowerShell download command
33            - '.downloadstring(' # PowerShell download command
34            - '\ADMIN$\'
35            - '\Perflogs\'
36            - '&&'
37    condition: selection
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top