Service Binary in Suspicious Folder

 1title: Service Binary in Suspicious Folder
 2id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
 3related:
 4    - id: c0abc838-36b0-47c9-b3b3-a90c39455382
 5      type: obsolete
 6status: test
 7description: Detect the creation of a service with a service binary located in a suspicious directory
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10author: Florian Roth (Nextron Systems), frack113
11date: 2022-05-02
12modified: 2025-10-07
13tags:
14    - attack.persistence
15    - attack.defense-evasion
16    - attack.t1112
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection_service_start:
22        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
23        TargetObject|endswith: '\Start'
24        Image|contains:
25            - '\Users\Public\'
26            - '\Perflogs\'
27            - '\ADMIN$\'
28            - '\Temp\'
29        Details:
30            - 'DWORD (0x00000000)'  # boot
31            - 'DWORD (0x00000001)'  # System
32            - 'DWORD (0x00000002)'  # Automatic
33            # 3 - Manual , 4 - Disabled
34    selection_service_imagepath:
35        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
36        TargetObject|endswith: '\ImagePath'
37        Details|contains:
38            - '\Users\Public\'
39            - '\Perflogs\'
40            - '\ADMIN$\'
41            - '\Temp\'
42    filter_optional_avast:
43        Image|contains|all: # Filter FP with Avast software
44            - '\Common Files\'
45            - '\Temp\'
46    filter_optional_mbamservice:
47        TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
48        Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
49        Image: 'C:\Windows\system32\services.exe'
50    condition: 1 of selection_* and not 1 of filter_optional_*
51falsepositives:
52    - Unknown
53level: high