PowerShell as a Service in Registry

calendar Aug 12, 2024 · attack.execution attack.t1569.002  ·
Share on: linkedin copy

Detects that a powershell code is written to the registry as a service.

Sigma rule (View on GitHub)

 1title: PowerShell as a Service in Registry
 2id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
 3status: test
 4description: Detects that a powershell code is written to the registry as a service.
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 7author: oscd.community, Natalia Shornikova
 8date: 2020-10-06
 9modified: 2023-08-17
10tags:
11    - attack.execution
12    - attack.t1569.002
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\Services\'
19        TargetObject|endswith: '\ImagePath'
20        Details|contains:
21            - 'powershell'
22            - 'pwsh'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

  • Hunting for PowerShell Abuse

    PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…


    Read More

Related rules

to-top