Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Detects well-known credential dumping tools execution via service execution events
Detects PsExec service installation and execution events (service and Sysmon)
Detects PAExec service installation
Detects powershell script installed as a Service
Detects a ProcessHacker tool that elevated privileges to a very high level
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Detects the use of smbexec.py tool by detecting a specific service installation
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Detects the usage of the "net.exe" command to start a service using the "start" flag
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
Detects the use of SharpUp, a tool for local privilege escalation
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
Detects the use of NirCmd tool for command execution as SYSTEM user
Detects the use of NSudo tool for command execution
Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
Detects PAExec default named pipe
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
Detects that a powershell code is written to the registry as a service.
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
Detects blocking of process creations originating from PSExec and WMI commands
Detects default PsExec service filename which indicates PsExec service installation and execution
Detecting use PsExec via Pipe Creation/Access to pipes
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE