Suspicious Service Path Modification

 1title: Suspicious Service Path Modification
 2id: 138d3531-8793-4f50-a2cd-f291b2863d78
 3status: test
 4description: Detects service path modification via the "sc" binary to a suspicious command or path
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
 7    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
 8author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 9date: 2019/10/21
10modified: 2022/11/18
11tags:
12    - attack.persistence
13    - attack.privilege_escalation
14    - attack.t1543.003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\sc.exe'
21        CommandLine|contains|all:
22            - 'config'
23            - 'binPath'
24        CommandLine|contains:
25            # Add more suspicious commands or binaries
26            - 'powershell'
27            - 'cmd '
28            - 'mshta'
29            - 'wscript'
30            - 'cscript'
31            - 'rundll32'
32            - 'svchost'
33            - 'dllhost'
34            - 'cmd.exe /c'
35            - 'cmd.exe /k'
36            - 'cmd.exe /r'
37            - 'cmd /c'
38            - 'cmd /k'
39            - 'cmd /r'
40            # Add more suspicious paths
41            - 'C:\Users\Public'
42            - '\Downloads\'
43            - '\Desktop\'
44            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
45            - 'C:\Windows\TEMP\'
46            - '\AppData\Local\Temp'
47    condition: selection
48fields:
49    - CommandLine
50    - ParentCommandLine
51falsepositives:
52    - Unlikely
53level: high