Service StartupType Change Via PowerShell Set-Service
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Sigma rule (View on GitHub)
1title: Service StartupType Change Via PowerShell Set-Service
2id: 62b20d44-1546-4e61-afce-8e175eb9473c
3status: test
4description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
5references:
6 - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-03-04
9tags:
10 - attack.execution
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\powershell.exe'
19 - OriginalFileName: 'PowerShell.EXE'
20 selection_cli:
21 CommandLine|contains|all:
22 - 'Set-Service'
23 - '-StartupType'
24 CommandLine|contains:
25 - 'Disabled'
26 - 'Manual'
27 condition: all of selection_*
28falsepositives:
29 - False positives may occur with troubleshooting scripts
30level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- HackTool - CobaltStrike BOF Injection Pattern
- Service StartupType Change Via Sc.EXE
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS CloudTrail Important Change