Service Binary in Suspicious Folder

Detect the creation of a service with a service binary located in a suspicious directory

Sigma rule (View on GitHub)

 1title: Service Binary in Suspicious Folder
 2id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
 3related:
 4    - id: c0abc838-36b0-47c9-b3b3-a90c39455382
 5      type: obsoletes
 6status: test
 7description: Detect the creation of a service with a service binary located in a suspicious directory
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10author: Florian Roth (Nextron Systems), frack113
11date: 2022/05/02
12modified: 2023/08/17
13tags:
14    - attack.defense_evasion
15    - attack.t1112
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection_1:
21        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
22        TargetObject|endswith: '\Start'
23        Image|contains:
24            - '\Users\Public\'
25            - '\Perflogs\'
26            - '\ADMIN$\'
27            - '\Temp\'
28        Details:
29            - 'DWORD (0x00000000)'  # boot
30            - 'DWORD (0x00000001)'  # System
31            - 'DWORD (0x00000002)'  # Automatic
32            # 3 - Manual , 4 - Disabled
33    selection_2:
34        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
35        TargetObject|endswith: '\ImagePath'
36        Details|contains:
37            - '\Users\Public\'
38            - '\Perflogs\'
39            - '\ADMIN$\'
40            - '\Temp\'
41    filter_1:
42        Image|contains|all: # Filter FP with Avast software
43            - '\Common Files\'
44            - '\Temp\'
45    condition: 1 of selection_* and not 1 of filter_*
46falsepositives:
47    - Unknown
48level: high

References

Related rules

to-top