Rules Contributing to Suspicious Windows Service Installation Alert
The following rules are used to identify suspicious activity with service installation activity. Any one or more of these will trigger the Suspicious Windows Service Installation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security |
Detects Obfuscated Powershell via VAR++ LAUNCHER More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['&&set', 'cmd', '/c', '-f'], 'ServiceFileName|contains': ['{0}', '{1}', '{2}', '{3}', '{4}', '{5}']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Malicious Service Installations |
Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. More details
Rule IDQuery{'selection': {'EventID': 4697}, 'malsvc_apt29': {'ServiceName': 'javamtsup'}, 'condition': 'selection and 1 of malsvc_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cb062102-587e-4414-8efa-dbe3c7bf19c6 Author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) Tactics, Techniques, and ProceduresTA0002, T1569.002, TA0003, T1543.003, TA0006, T1003 ReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Use MSHTA - Security |
Detects Obfuscated Powershell via use MSHTA in Scripts More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['mshta', 'vbscript:createobject', '.run', 'window.close']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Service Installed By Unusual Client - Security |
Detects a service installed by a client which has PID 0 or whose parent has PID 0 More details
Rule IDQuery{'selection': {'EventID': 4697}, 'selection_pid': [{'ClientProcessId': 0}, {'ParentProcessId': 0}], 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c4e92a97-a9ff-4392-9d2d-7a4c642768ca Author: Tim Rauch (Nextron Systems), Elastic (idea) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Meterpreter or Cobalt Strike Getsystem Service Installation - Security |
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation More details
Rule IDQuery{'selection_id': {'EventID': 4697}, 'selection': [{'ServiceFileName|contains|all': ['cmd', '/c', 'echo', '\\pipe\\']}, {'ServiceFileName|contains|all': ['%COMSPEC%', '/c', 'echo', '\\pipe\\']}, {'ServiceFileName|contains|all': ['cmd.exe', '/c', 'echo', '\\pipe\\']}, {'ServiceFileName|contains|all': ['rundll32', '.dll,a', '/p:']}], 'condition': 'selection_id and selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 Author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation RUNDLL LAUNCHER - Security |
Detects Obfuscated Powershell via RUNDLL LAUNCHER More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['rundll32.exe', 'shell32.dll', 'shellexec_rundll', 'powershell']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Use Rundll32 - Security |
Detects Obfuscated Powershell via use Rundll32 in Scripts More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['&&', 'rundll32', 'shell32.dll', 'shellexec_rundll'], 'ServiceFileName|contains': ['value', 'invoke', 'comspec', 'iex']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cd0f7229-d16f-42de-8fe3-fba365fbcb3a Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation STDIN+ Launcher - Security |
Detects Obfuscated use of stdin to execute PowerShell More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['cmd', 'powershell']}, 'selection2': {'ServiceFileName|contains': ['${input}', 'noexit']}, 'selection3': {'ServiceFileName|contains': [' /c ', ' /r ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Stdin - Security |
Detects Obfuscated Powershell via Stdin in Scripts More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['set', '&&'], 'ServiceFileName|contains': ['environment', 'invoke', '${input)']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,80b708f3-d034-40e4-a6c8-d23b7a7db3d1 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation CLIP+ Launcher - Security |
Detects Obfuscated use of Clip.exe to execute PowerShell More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['cmd', '&&', 'clipboard]::']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4edf51e1-cb83-4e1a-bc39-800e396068e3 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Metasploit Or Impacket Service Installation Via SMB PsExec |
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|re': '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$', 'ServiceName|re': '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)', 'ServiceStartType': '3', 'ServiceType': '0x10'}, 'filter': {'ServiceName': 'PSEXESVC'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6fb63b40-e02a-403e-9ffd-3bcc1d749442 Author: Bartlomiej Czyz, Relativity Tactics, Techniques, and ProceduresTA0002, T1569.002, TA0008, T1021.002, T1570 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Obfuscated IEX Invocation - Security |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references More details
Rule IDQuery{'selection_eid': {'EventID': 4697}, 'selection_servicefilename': [{'ServiceFileName|re': '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['}, {'ServiceFileName|re': '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['}, {'ServiceFileName|re': '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['}, {'ServiceFileName|re': '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'}, {'ServiceFileName|re': '\\\\*mdr*\\W\\s*\\)\\.Name'}, {'ServiceFileName|re': '\\$VerbosePreference\\.ToString\\('}, {'ServiceFileName|re': '\\String\\]\\s*\\$VerbosePreference'}], 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,fd0f5778-d3cb-4c9a-9695-66759d04702a Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Use Clip - Security |
Detects Obfuscated Powershell via use Clip.exe in Scripts More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains': '(Clipboard|i'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1a0a2ff1-611b-4dac-8216-8a7b47c618a6 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation VAR+ Launcher - Security |
Detects Obfuscated use of Environment Variables to execute PowerShell More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['cmd', '"set', '-f'], 'ServiceFileName|contains': ['/c', '/r']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,dcf2db1f-f091-425b-a821-c05875b8925a Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation COMPRESS OBFUSCATION - Security |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains|all': ['new-object', 'text.encoding]::ascii', 'readtoend'], 'ServiceFileName|contains': ['system.io.compression.deflatestream', 'system.io.streamreader']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7a922f1b-2635-4d6c-91ef-af228b198ad3 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0005, T1027 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell Scripts Installed as Services - Security |
Detects powershell script installed as a Service More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains': ['powershell', 'pwsh']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2a926e6a-4b81-4011-8a96-e36cc8c04302 Author: oscd.community, Natalia Shornikova Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
HybridConnectionManager Service Installation |
Rule to detect the Hybrid Connection Manager service installation. More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceName': 'HybridConnectionManager', 'ServiceFileName|contains': 'HybridConnectionManager'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0ee4d8a5-4e67-4faf-acfa-62a78457d1f2 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Tap Driver Installation - Security |
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains': 'tap0901'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9c8afa4d-0022-48f0-9456-3712466f9701 Author: Daniil Yugoslavskiy, Ian Davis, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Credential Dumping Tools Service Execution - Security |
Detects well-known credential dumping tools execution via service execution events More details
Rule IDQuery{'selection': {'EventID': 4697, 'ServiceFileName|contains': ['fgexec', 'dumpsvc', 'cachedump', 'mimidrv', 'gsecdump', 'servpw', 'pwdump']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f0d1feba-4344-4ca9-8121-a6c97bd6df52 Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Tactics, Techniques, and ProceduresTA0002, T1569.002, TA0006, T1003 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|