Service Installation with Suspicious Folder Pattern
Detects service installation with suspicious folder patterns
Sigma rule (View on GitHub)
1title: Service Installation with Suspicious Folder Pattern
2id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2
3status: test
4description: Detects service installation with suspicious folder patterns
5references:
6 - Internal Research
7author: pH-T (Nextron Systems)
8date: 2022-03-18
9modified: 2022-03-24
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - car.2013-09-005
14 - attack.t1543.003
15logsource:
16 product: windows
17 service: system
18detection:
19 selection_eid:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 selection_img_paths:
23 - ImagePath|re: '^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe'
24 - ImagePath|re: '^[Cc]:\\.{1,9}\.exe'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Service Installation in Suspicious Folder
- Suspicious Service Installation
- Suspicious Service Installation Script
- Uncommon Service Installation Image Path
- Driver Load From A Temporary Directory