sigmahighHunting

PowerShell as a Service in Registry

Detects that a powershell code is written to the registry as a service.

MITRE ATT&CK

execution

Detection Query

selection:
  TargetObject|contains: \Services\
  TargetObject|endswith: \ImagePath
  Details|contains:
    - powershell
    - pwsh
condition: selection

Author

oscd.community, Natalia Shornikova

Created

2020-10-06

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

Tags

attack.executionattack.t1569.002

Raw Content

title: PowerShell as a Service in Registry
id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
status: test
description: Detects that a powershell code is written to the registry as a service.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-08-17
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection
falsepositives:
    - Unknown
level: high