Detectionhightest

Suspicious Service Installation

Detects suspicious service installation commands

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Martin Mueller, Florian Roth (Nextron Systems)Created Fri Mar 18Updated Mon Dec 041d61f71d-59d2-479e-9562-4ff5f4ead16bwindows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - ' -nop '
            - ' -sta '
            - ' -w hidden '
            - ':\Temp\'
            - '.downloadfile(' # PowerShell download command
            - '.downloadstring(' # PowerShell download command
            - '\ADMIN$\'
            - '\Perflogs\'
            - '&&'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1543.003 · Windows Service

CAR Analytics

2013-09-005 · CAR 2013-09-005

Related Rules

Similar

ca83e9f3-657a-45d0-88d6-c1ac280caf53

Rule not found

SimilarDetectionmedium

Uncommon Service Installation Image Path

Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

1d61f71d-59d2-479e-9562-4ff5f4ead16b

Status

test

Level

high

Type

Detection

Created

Fri Mar 18

Modified

Mon Dec 04

Author

Martin Mueller, Florian Roth (Nextron Systems)

Path

rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml

Raw Tags

attack.persistenceattack.privilege-escalationcar.2013-09-005attack.t1543.003

View on GitHub