Suspicious Service Installation Script

Detects suspicious service installation scripts

Sigma rule (View on GitHub)

 1title: Suspicious Service Installation Script
 2id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
 3status: test
 4description: Detects suspicious service installation scripts
 5references:
 6    - Internal Research
 7author: pH-T (Nextron Systems)
 8date: 2022/03/18
 9modified: 2024/02/23
10tags:
11    - attack.persistence
12    - attack.privilege_escalation
13    - car.2013-09-005
14    - attack.t1543.003
15logsource:
16    product: windows
17    service: system
18detection:
19    selection_eid:
20        Provider_Name: 'Service Control Manager'
21        EventID: 7045
22    selection_cmd_flags:
23        ImagePath|contains:
24            - ' /c '
25            - ' -c '
26            - ' /r '
27            - ' -r '
28            - ' /k '
29            - ' -k '
30    selection_binaries:
31        ImagePath|contains:
32            - 'cscript'
33            - 'mshta'
34            - 'powershell'
35            - 'pwsh'
36            - 'regsvr32'
37            - 'rundll32'
38            - 'wscript'
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: high

References

Related rules

to-top