HackTool Service Registration or Execution

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects installation or execution of services

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1569.002` System Services: Service Execution

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7036
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `selection_eid`

Provider_Name: 'Service Control Manager'

Stage 2: `1 of selection_service_name`

or:
ServiceName|contains: DumpSvc
ServiceName|contains: UACBypassedService
ServiceName|contains: 'WCE SERVICE'
ServiceName|contains: WCESERVICE
ServiceName|contains: cachedump
ServiceName|contains: gsecdump
ServiceName|contains: pwdump
ServiceName|contains: winexesvc

Stage 3: `1 of selection_service_image`

ImagePath|contains: bypass

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ImagePath`	match	`bypass`
`Provider_Name`	eq	`Service Control Manager` corpus 43 (sigma 43)
`ServiceName`	match	`DumpSvc` `UACBypassedService` `WCE SERVICE` `WCESERVICE` `cachedump` `gsecdump` `pwdump` `winexesvc`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Remote Access Tool Services Have Been Installed - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Remote Access Tool Services Have Been Installed - System [sigma]