Detectionmediumtest
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_sc:
- CommandLine|contains|all:
- 'sc '
- 'config '
- 'binpath='
- CommandLine|contains|all:
- 'sc '
- 'failure'
- 'command='
selection_reg_img:
- CommandLine|contains|all:
- 'reg '
- 'add '
- 'FailureCommand'
- CommandLine|contains|all:
- 'reg '
- 'add '
- 'ImagePath'
selection_reg_ext:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin$'
- '.bat'
- '.cmd'
- '.js'
- '.msh$'
- '.reg$'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
condition: selection_sc or all of selection_reg_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Rule Metadata
Rule ID
38879043-7e1e-47a9-8d46-6bec88e201df
Status
test
Level
medium
Type
Detection
Created
Tue Sep 29
Modified
Sat Feb 04
Author
Path
rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1543.003attack.t1574.011