Service Binary in Suspicious Folder

calendar Oct 9, 2025 · attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detect the creation of a service with a service binary located in a suspicious directory

Sigma rule (View on GitHub)

 1title: Service Binary in Suspicious Folder
 2id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
 3related:
 4    - id: c0abc838-36b0-47c9-b3b3-a90c39455382
 5      type: obsolete
 6status: test
 7description: Detect the creation of a service with a service binary located in a suspicious directory
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10author: Florian Roth (Nextron Systems), frack113
11date: 2022-05-02
12modified: 2025-10-07
13tags:
14    - attack.defense-evasion
15    - attack.t1112
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection_service_start:
21        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
22        TargetObject|endswith: '\Start'
23        Image|contains:
24            - '\Users\Public\'
25            - '\Perflogs\'
26            - '\ADMIN$\'
27            - '\Temp\'
28        Details:
29            - 'DWORD (0x00000000)'  # boot
30            - 'DWORD (0x00000001)'  # System
31            - 'DWORD (0x00000002)'  # Automatic
32            # 3 - Manual , 4 - Disabled
33    selection_service_imagepath:
34        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
35        TargetObject|endswith: '\ImagePath'
36        Details|contains:
37            - '\Users\Public\'
38            - '\Perflogs\'
39            - '\ADMIN$\'
40            - '\Temp\'
41    filter_optional_avast:
42        Image|contains|all: # Filter FP with Avast software
43            - '\Common Files\'
44            - '\Temp\'
45    filter_optional_mbamservice:
46        TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
47        Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
48        Image: 'C:\Windows\system32\services.exe'
49    condition: 1 of selection_* and not 1 of filter_optional_*
50falsepositives:
51    - Unknown
52level: high

References

Related rules

to-top