SigmaHQ/rules/windows/process_creation/win_susp_service_path_modification.yml

35 lines
925 B
YAML
Raw Normal View History

title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
description: Detects service path modification to PowerShell or cmd.
status: experimental
2019-10-25 11:38:47 +00:00
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md
2019-10-25 11:38:47 +00:00
tags:
- attack.persistence
- attack.privilege_escalation
2020-06-16 20:46:08 +00:00
- attack.t1543.003
- attack.t1031 # an old one
2019-10-25 11:38:47 +00:00
date: 2019/10/21
modified: 2020/08/28
2019-10-25 11:38:47 +00:00
author: Victor Sergeev, oscd.community
logsource:
category: process_creation
product: windows
2019-10-25 11:38:47 +00:00
detection:
selection_1:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'config'
- 'binpath'
selection_2:
CommandLine|contains:
- 'powershell'
- 'cmd'
condition: selection_1 and selection_2
2019-10-25 11:38:47 +00:00
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: high