Service Installation in Suspicious Folder
Detects service installation in suspicious folder appdata
Sigma rule (View on GitHub)
1title: Service Installation in Suspicious Folder
2id: 5e993621-67d4-488a-b9ae-b420d08b96cb
3status: test
4description: Detects service installation in suspicious folder appdata
5author: pH-T (Nextron Systems)
6references:
7 - Internal Research
8date: 2022/03/18
9modified: 2024/01/18
10tags:
11 - attack.persistence
12 - attack.privilege_escalation
13 - car.2013-09-005
14 - attack.t1543.003
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 ImagePath|contains:
23 - '\AppData\'
24 - '\\\\127.0.0.1'
25 - '\\\\localhost'
26 filter_optional_zoom:
27 ServiceName: 'Zoom Sharing Service'
28 ImagePath|contains: ':\Program Files\Common Files\Zoom\Support\CptService.exe'
29 condition: selection and not 1 of filter_optional_*
30falsepositives:
31 - Unknown
32level: medium
References
Related rules
- Suspicious Service Installation
- Malicious Service Installations
- Malicious Service Installations
- Driver Load From A Temporary Directory
- PSEXEC Remote Execution File Artefact