sigmamediumHunting

New PDQDeploy Service - Server Side

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

MITRE ATT&CK

T1543.003

persistenceprivilege-escalation

Detection Query

selection_root:
  Provider_Name: Service Control Manager
  EventID: 7045
selection_service:
  - ImagePath|contains: PDQDeployService.exe
  - ServiceName:
      - PDQDeploy
      - PDQ Deploy
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-07-22

Data Sources

windowssystem

Platforms

windows

References

https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm

Tags

attack.persistenceattack.privilege-escalationattack.t1543.003

Raw Content

title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
    Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
    PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'PDQDeployService.exe'
        - ServiceName:
              - 'PDQDeploy'
              - 'PDQ Deploy'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium