Detectionhightest

PowerShell as a Service in Registry

Detects that a powershell code is written to the registry as a service.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

oscd.community, Natalia ShornikovaCreated Tue Oct 06Updated Thu Aug 174a5f5a5e-ac01-474b-9b4e-d61298c9df1dwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

speakerdeck.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1569.002 · Service Execution

Rule Metadata

Rule ID

4a5f5a5e-ac01-474b-9b4e-d61298c9df1d

Status

test

Level

high

Type

Detection

Created

Tue Oct 06

Modified

Thu Aug 17

Author

oscd.community, Natalia Shornikova

Path

rules/windows/registry/registry_set/registry_set_powershell_as_service.yml

Raw Tags

attack.executionattack.t1569.002

View on GitHub