Detection rules › Sigma
Uncommon Service Installation Image Path
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7045 |
Stages and Predicates
Stage 1: selection
Provider_Name: 'Service Control Manager'
Stage 2: suspicious_paths
or:
ImagePath|contains: '\Users\Public\'
ImagePath|contains: '\Windows\Temp\'
ImagePath|contains: '\\\\.\\pipe'
Stage 3: all of suspicious_encoded_flag
ImagePath|contains: ' -e'
Stage 4: all of suspicious_encoded_keywords
or:
ImagePath|contains: ' IAB'
ImagePath|contains: ' JAB'
ImagePath|contains: ' PAA'
ImagePath|contains: ' SQBFAFgA'
ImagePath|contains: ' SUVYI'
ImagePath|contains: ' aQBlAHgA'
ImagePath|contains: ' aWV4I'
Stage 5: not 1 of filter_main_defender_def_updates
ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
Stage 6: not 1 of filter_optional_thor_remote
ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ImagePath | match |
|
ImagePath | starts_with |
|
Provider_Name | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Invoke-Obfuscation Via Use Rundll32 - System (adds 5 filters)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System (adds 5 filters)
- Invoke-Obfuscation VAR+ Launcher - System (adds 4 filters)
- Invoke-Obfuscation COMPRESS OBFUSCATION - System (adds 4 filters)
- Invoke-Obfuscation RUNDLL LAUNCHER - System (adds 4 filters)
- Invoke-Obfuscation CLIP+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation STDIN+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation Via Stdin - System (adds 3 filters)
- Invoke-Obfuscation Via Use MSHTA - System (adds 2 filters)
- ProcessHacker Privilege Elevation (adds 2 filters)
- Invoke-Obfuscation Via Use Clip - System (adds 1 filter)
- Credential Dumping Tools Service Execution - System (adds 1 filter)
- Moriya Rootkit - System (adds 1 filter)
- PowerShell Scripts Installed as Services (adds 1 filter)
- Service Installed By Unusual Client - System (adds 1 filter)
- Suspicious Service Installation (adds 1 filter)
- Tap Driver Installation (adds 1 filter)
- RTCore Suspicious Service Installation (adds 1 filter)
- Service Installation in Suspicious Folder (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Invoke-Obfuscation Obfuscated IEX Invocation - System (drops 1 filter this rule applies)