Suspicious New Service Creation

 1title: Suspicious New Service Creation
 2id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8
 3related:
 4    - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
 5      type: derived
 6status: test
 7description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
10    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/07/14
13modified: 2022/11/18
14tags:
15    - attack.persistence
16    - attack.privilege_escalation
17    - attack.t1543.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_sc:
23        Image|endswith: '\sc.exe'
24        CommandLine|contains|all:
25            - 'create'
26            - 'binPath='
27    selection_posh:
28        CommandLine|contains|all:
29            - 'New-Service'
30            - '-BinaryPathName'
31    susp_binpath:
32        CommandLine|contains:
33            # Add more suspicious commands or binaries
34            - 'powershell'
35            - 'mshta'
36            - 'wscript'
37            - 'cscript'
38            - 'svchost'
39            - 'dllhost'
40            - 'cmd '
41            - 'cmd.exe /c'
42            - 'cmd.exe /k'
43            - 'cmd.exe /r'
44            - 'rundll32'
45            # Add more suspicious paths
46            - 'C:\Users\Public'
47            - '\Downloads\'
48            - '\Desktop\'
49            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
50            - 'C:\Windows\TEMP\'
51            - '\AppData\Local\Temp'
52    condition: 1 of selection* and susp_binpath
53falsepositives:
54    - Unlikely
55level: high