valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a68d50a5d9
SigmaHQ/rules/windows/builtin/win_rare_service_installs.yml

25 lines
711 B
YAML
Raw Normal View History

Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
title: Rare Service Installs
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
newline in description - typo
2020-03-14 18:58:58 +00:00
description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
status: experimental
author: Florian Roth
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
date: 2017/03/08
Add tags to windows builtin rules
2018-07-24 05:50:32 +00:00
tags:
- attack.persistence
- attack.privilege_escalation
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-24 23:09:17 +00:00
- attack.t1050 # an old one
First Pass
2019-06-14 04:15:38 +00:00
- car.2013-09-005
Initial round of subtechnique updates
2020-06-16 20:46:08 +00:00
- attack.t1543.003
Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
timeframe: 7d
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
condition: selection | count() by ServiceFileName < 5
falsepositives:
Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
- Software installation
- Software updates
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
level: low
Reference in New Issue Copy Permalink