Suspicious Service Installation Script

Mar 11, 2024 · attack.persistence attack.privilege_escalation car.2013-09-005 attack.t1543.003 ·

Detects suspicious service installation scripts

Sigma rule (View on GitHub)

 1title: Suspicious Service Installation Script
 2id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
 3status: test
 4description: Detects suspicious service installation scripts
 5references:
 6    - Internal Research
 7author: pH-T (Nextron Systems)
 8date: 2022/03/18
 9modified: 2024/03/05
10tags:
11    - attack.persistence
12    - attack.privilege_escalation
13    - car.2013-09-005
14    - attack.t1543.003
15logsource:
16    product: windows
17    service: system
18detection:
19    selection_eid:
20        Provider_Name: 'Service Control Manager'
21        EventID: 7045
22    selection_cmd_flags:
23        ImagePath|contains|windash:
24            - ' -c '
25            - ' -r '
26            - ' -k '
27    selection_binaries:
28        ImagePath|contains:
29            - 'cscript'
30            - 'mshta'
31            - 'powershell'
32            - 'pwsh'
33            - 'regsvr32'
34            - 'rundll32'
35            - 'wscript'
36    condition: all of selection_*
37falsepositives:
38    - Unknown
39level: high

References

Internal Research

Read More

Suspicious Service Installation Script

Sigma rule (View on GitHub)

References

Internal Research

Related rules