sigmahighHunting

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

MITRE ATT&CK

execution

Detection Query

selection:
  EventID: 4697
  ServiceFileName|contains:
    - powershell
    - pwsh
condition: selection

Author

oscd.community, Natalia Shornikova

Created

2020-10-06

Data Sources

windowssecurity

Platforms

windows

References

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

Tags

attack.executionattack.t1569.002

Raw Content

title: PowerShell Scripts Installed as Services - Security
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
related:
    - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
      type: derived
status: test
description: Detects powershell script installed as a Service
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-11-29
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection
falsepositives:
    - Unknown
level: high