Suspicious Service Installation Script
Detects suspicious service installation scripts
Sigma rule (View on GitHub)
1title: Suspicious Service Installation Script
2id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
3status: test
4description: Detects suspicious service installation scripts
5references:
6 - Internal Research
7author: pH-T (Nextron Systems)
8date: 2022-03-18
9modified: 2024-03-05
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - car.2013-09-005
14 - attack.t1543.003
15logsource:
16 product: windows
17 service: system
18detection:
19 selection_eid:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 selection_cmd_flags:
23 ImagePath|contains|windash:
24 - ' -c '
25 - ' -r '
26 - ' -k '
27 selection_binaries:
28 ImagePath|contains:
29 - 'cscript'
30 - 'mshta'
31 - 'powershell'
32 - 'pwsh'
33 - 'regsvr32'
34 - 'rundll32'
35 - 'wscript'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Service Installation in Suspicious Folder
- Service Installation with Suspicious Folder Pattern
- Suspicious Service Installation
- Uncommon Service Installation Image Path
- Driver Load From A Temporary Directory