Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Uncommon Service Installation Image Path

Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Mar 18Updated Fri Feb 0926481afe-db26-4228-b264-25a29fe6efc7windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic6 selectors
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    suspicious_paths:
        ImagePath|contains:
            - '\\\\.\\pipe'
            - '\Users\Public\'
            - '\Windows\Temp\'
    suspicious_encoded_flag:
        ImagePath|contains: ' -e'
    suspicious_encoded_keywords:
        ImagePath|contains:
            - ' aQBlAHgA' # PowerShell encoded commands
            - ' aWV4I' # PowerShell encoded commands
            - ' IAB' # PowerShell encoded commands
            - ' JAB' # PowerShell encoded commands
            - ' PAA' # PowerShell encoded commands
            - ' SQBFAFgA' # PowerShell encoded commands
            - ' SUVYI' # PowerShell encoded commands
    filter_optional_thor_remote:
        ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
    filter_main_defender_def_updates:
        ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
    condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
Internal Research
MITRE ATT&CK

CAR Analytics

2013-09-005 · CAR 2013-09-005
Related Rules
Similar

ca83e9f3-657a-45d0-88d6-c1ac280caf53

Rule not found
DerivedDetectionhigh

Suspicious Service Installation

Detects suspicious service installation commands

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
26481afe-db26-4228-b264-25a29fe6efc7
Status
test
Level
medium
Type
Detection
Created
Fri Mar 18
Modified
Fri Feb 09
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml
Raw Tags
attack.persistenceattack.privilege-escalationcar.2013-09-005attack.t1543.003
View on GitHub