Detectionhightest

HackTool Service Registration or Execution

Detects installation or execution of services

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Mar 21Updated Mon Aug 07d26ce60c-2151-403c-9a42-49420d87b5e4windows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
    selection_service_name:
        ServiceName|contains:
            - 'cachedump'
            - 'DumpSvc'
            - 'gsecdump'
            - 'pwdump'
            - 'UACBypassedService'
            - 'WCE SERVICE'
            - 'WCESERVICE'
            - 'winexesvc'
    selection_service_image:
        ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
    condition: selection_eid and 1 of selection_service_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1569.002 · Service Execution

Software

S0029 · S0029

Rule Metadata

Rule ID

d26ce60c-2151-403c-9a42-49420d87b5e4

Status

test

Level

high

Type

Detection

Created

Mon Mar 21

Modified

Mon Aug 07

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml

Raw Tags

attack.executionattack.t1569.002attack.s0029

View on GitHub