← Back to Explore
sigmahighHunting
Suspicious Service Installation Script
Detects suspicious service installation scripts
Detection Query
selection_eid:
Provider_Name: Service Control Manager
EventID: 7045
selection_cmd_flags:
ImagePath|contains|windash:
- " -c "
- " -r "
- " -k "
selection_binaries:
ImagePath|contains:
- cscript
- mshta
- powershell
- pwsh
- regsvr32
- rundll32
- wscript
condition: all of selection_*
Author
pH-T (Nextron Systems)
Created
2022-03-18
Data Sources
windowssystem
Platforms
windows
References
Tags
attack.persistenceattack.privilege-escalationcar.2013-09-005attack.t1543.003
Raw Content
title: Suspicious Service Installation Script
id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
status: test
description: Detects suspicious service installation scripts
references:
- Internal Research
author: pH-T (Nextron Systems)
date: 2022-03-18
modified: 2024-03-05
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cmd_flags:
ImagePath|contains|windash:
- ' -c '
- ' -r '
- ' -k '
selection_binaries:
ImagePath|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high