Suspicious Service Installation Script

calendarApr 14, 2023 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003  ·
Share on: linkedincopy

Detects suspicious service installation scripts

Sigma rule (View on GitHub)

 1title: Suspicious Service Installation Script
 2id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
 3status: experimental
 4description: Detects suspicious service installation scripts
 5author: pH-T (Nextron Systems)
 6date: 2022/03/18
 7modified: 2022/11/18
 8tags:
 9    - attack.persistence
10    - attack.privilege_escalation
11    - car.2013-09-005
12    - attack.t1543.003
13logsource:
14    product: windows
15    service: system
16detection:
17    selection:
18        Provider_Name: 'Service Control Manager'
19        EventID: 7045
20    suspicious1:
21        ImagePath|contains:
22            - ' /c '
23            - ' /r '
24            - ' /k '
25    suspicious2:
26        ImagePath|contains:
27            - 'powershell'
28            - 'pwsh'
29            - 'wscript'
30            - 'cscript'
31            - 'mshta'
32            - 'rundll32'
33            - 'regsvr32'
34    condition: selection and all of suspicious*
35falsepositives:
36    - Unknown
37level: high

Related rules

to-top