-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathproc_creation_win_susp_service_creation.yml
More file actions
55 lines (55 loc) · 1.8 KB
/
proc_creation_win_susp_service_creation.yml
File metadata and controls
55 lines (55 loc) · 1.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
title: Suspicious New Service Creation
id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8
related:
- id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
type: derived
status: test
description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2022-11-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'create'
- 'binPath='
selection_posh:
CommandLine|contains|all:
- 'New-Service'
- '-BinaryPathName'
susp_binpath:
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'svchost'
- 'dllhost'
- 'cmd '
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'rundll32'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: 1 of selection* and susp_binpath
falsepositives:
- Unlikely
level: high