SigmaHQ/rules/windows/builtin/win_rare_service_installs.yml

title: Rare Service Installs
description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services 
status: experimental
author: Florian Roth
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
    timeframe: 7d
    condition: selection | count(ServiceFileName) < 5 
falsepositives: 
    - Software installation
    - Software updates
level: low
Rule: Rare Windows Service Installs 2017-03-08 18:09:34 +00:00			`title: Rare Service Installs`
Bugfixes and improvements 2017-03-21 09:24:20 +00:00			`description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services`
Rule: Rare Windows Service Installs 2017-03-08 18:09:34 +00:00			`status: experimental`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID: 7045`
			`timeframe: 7d`
			`condition: selection \| count(ServiceFileName) < 5`
			`falsepositives:`
			`- Software installation`
			`- Software updates`
			`level: low`