Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

smbexec.py Service Installation

Detects the use of smbexec.py tool by detecting a specific service installation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Omer Faruk CelikCreated Tue Mar 20Updated Thu Nov 0952a85084-6989-40c3-8f32-091e12e13f09windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic3 selectors
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service_name:
        ServiceName: 'BTOBTO'
    selection_service_image:
        ImagePath|contains:
            - '.bat & del '
            - '__output 2^>^&1 >'
    condition: selection_eid and 1 of selection_service_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blog.ropnop.com
2
Resolving title…
github.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
52a85084-6989-40c3-8f32-091e12e13f09
Status
test
Level
high
Type
Detection
Created
Tue Mar 20
Modified
Thu Nov 09
Author
Omer Faruk Celik
Path
rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml
Raw Tags
attack.lateral-movementattack.executionattack.t1021.002attack.t1569.002
View on GitHub