Rules Contributing to Suspicious Windows Service Installation Alert

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

Rule ID

windows_security_1

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['&&set', 'cmd', '/c', '-f'], 'ServiceFileName|contains': ['{0}', '{1}', '{2}', '{3}', '{4}', '{5}']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,4c54ba8f-73d2-4d40-8890-d9cf1dca3d30

Author: Timur Zinniatullin, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/10/13	high	Unknown

Malicious Service Installations

Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

More details

Rule ID

windows_security_8

Query

{'selection': {'EventID': 4697}, 'malsvc_apt29': {'ServiceName': 'javamtsup'}, 'condition': 'selection and 1 of malsvc_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,cb062102-587e-4414-8efa-dbe3c7bf19c6

Author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)

Tactics, Techniques, and Procedures

T1003, T1543.003, T1569.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/03/27	critical	Unknown

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

More details

Rule ID

windows_security_10

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['mshta', 'vbscript:createobject', '.run', 'window.close']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a

Author: Nikita Nazarov, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/09	high	Unknown

Service Installed By Unusual Client - Security

Detects a service installed by a client which has PID 0 or whose parent has PID 0

More details

Rule ID

windows_security_13

Query

{'selection': {'EventID': 4697}, 'selection_pid': [{'ClientProcessId': 0}, {'ParentProcessId': 0}], 'condition': 'all of selection*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,c4e92a97-a9ff-4392-9d2d-7a4c642768ca

Author: Tim Rauch (Nextron Systems), Elastic

Tactics, Techniques, and Procedures

T1543

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/09/15	high	Unknown

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

More details

Rule ID

windows_security_26

Query

{'selection_id': {'EventID': 4697}, 'selection': [{'ServiceFileName|contains|all': ['cmd', '/c', 'echo', '\\pipe\\']}, {'ServiceFileName|contains|all': ['%COMSPEC%', '/c', 'echo', '\\pipe\\']}, {'ServiceFileName|contains|all': ['cmd.exe', '/c', 'echo', '\\pipe\\']}, {'ServiceFileName|contains|all': ['rundll32', '.dll,a', '/p:']}], 'condition': 'selection_id and selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34

Author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1134

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/26	critical	Highly unlikely

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

More details

Rule ID

windows_security_32

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['rundll32.exe', 'shell32.dll', 'shellexec_rundll', 'powershell']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca

Author: Timur Zinniatullin, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/18	medium	Unknown

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

More details

Rule ID

windows_security_33

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['&&', 'rundll32', 'shell32.dll', 'shellexec_rundll'], 'ServiceFileName|contains': ['value', 'invoke', 'comspec', 'iex']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,cd0f7229-d16f-42de-8fe3-fba365fbcb3a

Author: Nikita Nazarov, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/09	high	Unknown

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

More details

Rule ID

windows_security_50

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['cmd', 'powershell']}, 'selection2': {'ServiceFileName|contains': ['${input}', 'noexit']}, 'selection3': {'ServiceFileName|contains': [' /c ', ' /r ']}, 'condition': 'all of selection*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,0c718a5e-4284-4fb9-b4d9-b9a50b3a1974

Author: Jonathan Cheong, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/15	high	Unknown

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

More details

Rule ID

windows_security_53

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['set', '&&'], 'ServiceFileName|contains': ['environment', 'invoke', '${input)']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,80b708f3-d034-40e4-a6c8-d23b7a7db3d1

Author: Nikita Nazarov, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/12	high	Unknown

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

More details

Rule ID

windows_security_55

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['cmd', '&&', 'clipboard]::']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,4edf51e1-cb83-4e1a-bc39-800e396068e3

Author: Jonathan Cheong, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/13	high	Unknown

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

More details

Rule ID

windows_security_61

Query

{'selection': {'EventID': 4697, 'ServiceFileName|re': '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$', 'ServiceName|re': '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)', 'ServiceStartType': '3', 'ServiceType': '0x10'}, 'filter': {'ServiceName': 'PSEXESVC'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,6fb63b40-e02a-403e-9ffd-3bcc1d749442

Author: Bartlomiej Czyz, Relativity

Tactics, Techniques, and Procedures

T1021.002, T1569.002, T1570

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2021/01/21	high	Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name

Invoke-Obfuscation Obfuscated IEX Invocation - Security

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

More details

Rule ID

windows_security_71

Query

{'selection_eid': {'EventID': 4697}, 'selection_servicefilename': [{'ServiceFileName|re': '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['}, {'ServiceFileName|re': '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['}, {'ServiceFileName|re': '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['}, {'ServiceFileName|re': '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'}, {'ServiceFileName|re': '\\\\*mdr*\\W\\s*\\)\\.Name'}, {'ServiceFileName|re': '\\$VerbosePreference\\.ToString\\('}, {'ServiceFileName|re': '\\String\\]\\s*\\$VerbosePreference'}], 'condition': 'all of selection_*'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,fd0f5778-d3cb-4c9a-9695-66759d04702a

Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community

Tactics, Techniques, and Procedures

T1027

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2019/11/08	high	Unknown

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

More details

Rule ID

windows_security_76

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains': '(Clipboard|i'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,1a0a2ff1-611b-4dac-8216-8a7b47c618a6

Author: Nikita Nazarov, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/09	high	Unknown

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

More details

Rule ID

windows_security_90

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['cmd', '"set', '-f'], 'ServiceFileName|contains': ['/c', '/r']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,dcf2db1f-f091-425b-a821-c05875b8925a

Author: Jonathan Cheong, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/15	high	Unknown

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

More details

Rule ID

windows_security_102

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['new-object', 'text.encoding]::ascii', 'readtoend'], 'ServiceFileName|contains': ['system.io.compression.deflatestream', 'system.io.streamreader']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,7a922f1b-2635-4d6c-91ef-af228b198ad3

Author: Timur Zinniatullin, oscd.community

Tactics, Techniques, and Procedures

T1027, T1059.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2020/10/18	medium	Unknown

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

More details

Rule ID

windows_security_106

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains': ['powershell', 'pwsh']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,2a926e6a-4b81-4011-8a96-e36cc8c04302

Author: oscd.community, Natalia Shornikova

Tactics, Techniques, and Procedures

T1569.002

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2020/10/06	high	Unknown

HybridConnectionManager Service Installation

Rule to detect the Hybrid Connection Manager service installation.

More details

Rule ID

windows_security_110

Query

{'selection': {'EventID': 4697, 'ServiceName': 'HybridConnectionManager', 'ServiceFileName|contains': 'HybridConnectionManager'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,0ee4d8a5-4e67-4faf-acfa-62a78457d1f2

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Tactics, Techniques, and Procedures

T1554

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/04/12	high	Legitimate use of Hybrid Connection Manager via Azure function apps.

Tap Driver Installation - Security

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

More details

Rule ID

windows_security_114

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains': 'tap0901'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,9c8afa4d-0022-48f0-9456-3712466f9701

Author: Daniil Yugoslavskiy, Ian Davis, oscd.community

Tactics, Techniques, and Procedures

T1048

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2019/10/24	medium	Legitimate OpenVPN TAP insntallation

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

More details

Rule ID

windows_security_128

Query

{'selection': {'EventID': 4697, 'ServiceFileName|contains': ['fgexec', 'dumpsvc', 'cachedump', 'mimidrv', 'gsecdump', 'servpw', 'pwdump']}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

Collecting Windows Security Events
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Rule Source

SigmaHQ,f0d1feba-4344-4ca9-8121-a6c97bd6df52

Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community

Tactics, Techniques, and Procedures

T1003, T1569

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2017/03/05	high	Legitimate Administrator using credential dumping tool for password recovery