Detection rules › Splunk
Malicious Powershell Executed As A Service
The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7045 |
Stages and Predicates
Stage 1: search
search EventCode=7045
Stage 2: eval
eval ... using (ImagePath)
Stage 3: regex
regex match(l_ImagePath, "powershell[.\s]|powershell_ise[.\s]|pwsh[.\s]|psexec[.\s]")
Stage 4: regex
regex match(l_ImagePath, "-nop[rofile\s]+|-w[indowstyle]*\s+hid[den]*|-noe[xit\s]+|-enc[odedcommand\s]+")
Stage 5: stats
stats BY EventCode, ImagePath, ServiceName, StartType, ServiceType, AccountName, UserID, dest
Stage 6: rename
rename
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
l_ImagePath | regex_match |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Bluetooth Service Installed From Uncommon Location (adds 2 filters)
- Windows Service Created with Suspicious Service Path (adds 2 filters)
- Windows Snake Malware Service Create (adds 2 filters)
- Clop Ransomware Known Service Name (adds 1 filter)
- Windows Driver Load Non-Standard Path (adds 1 filter)
- Windows KrbRelayUp Service Creation (adds 1 filter)
- Windows Service Create RemComSvc (adds 1 filter)
- Windows Service Create SliverC2 (adds 1 filter)
- Windows Vulnerable Driver Installed (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Invoke-Obfuscation Obfuscated IEX Invocation - System (drops 1 filter this rule applies)