Detection rules › Sigma
Suspicious Service Installation Script
Detects suspicious service installation scripts
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7045 |
Stages and Predicates
Stage 1: all of selection_eid
Provider_Name: 'Service Control Manager'
Stage 2: all of selection_cmd_flags
or:
ImagePath|contains: ' -c '
ImagePath|contains: ' -k '
ImagePath|contains: ' -r '
Stage 3: all of selection_binaries
or:
ImagePath|contains: cscript
ImagePath|contains: mshta
ImagePath|contains: powershell
ImagePath|contains: pwsh
ImagePath|contains: regsvr32
ImagePath|contains: rundll32
ImagePath|contains: wscript
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ImagePath | match |
|
Provider_Name | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Invoke-Obfuscation Via Use Rundll32 - System (adds 5 filters)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System (adds 5 filters)
- Invoke-Obfuscation VAR+ Launcher - System (adds 4 filters)
- Invoke-Obfuscation COMPRESS OBFUSCATION - System (adds 4 filters)
- Invoke-Obfuscation RUNDLL LAUNCHER - System (adds 4 filters)
- Invoke-Obfuscation CLIP+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation STDIN+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation Via Stdin - System (adds 3 filters)
- Invoke-Obfuscation Via Use MSHTA - System (adds 2 filters)
- ProcessHacker Privilege Elevation (adds 2 filters)
- Invoke-Obfuscation Via Use Clip - System (adds 1 filter)
- Credential Dumping Tools Service Execution - System (adds 1 filter)
- Moriya Rootkit - System (adds 1 filter)
- PowerShell Scripts Installed as Services (adds 1 filter)
- Service Installed By Unusual Client - System (adds 1 filter)
- Suspicious Service Installation (adds 1 filter)
- Tap Driver Installation (adds 1 filter)
- RTCore Suspicious Service Installation (adds 1 filter)
- Service Installation in Suspicious Folder (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Invoke-Obfuscation Obfuscated IEX Invocation - System (drops 1 filter this rule applies)