Detectionmediumtest
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Jul 22ee9ca27c-9bd7-4cee-9b01-6e906be7cae3windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic2 selectors
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployService.exe'
- ServiceName:
- 'PDQDeploy'
- 'PDQ Deploy'
condition: all of selection_*False Positives
Legitimate use of the tool
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
Status
test
Level
medium
Type
Detection
Created
Fri Jul 22
Path
rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1543.003