SigmaHQ/rules/windows/builtin/win_mal_service_installs.yml

title: Malicious Service Installations
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
author: Florian Roth
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1050
    - car.2013-09-005
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
    malsvc_wce:
        ServiceName: 
            - 'WCESERVICE'
            - 'WCE SERVICE'
    malsvc_paexec:
        ServiceFileName: '*\PAExec*'
    malsvc_winexe:
        ServiceFileName: 'winexesvc.exe*'
    malsvc_pwdumpx:
        ServiceFileName: '*\DumpSvc.exe'
    malsvc_wannacry:
        ServiceName: 'mssecsvc2.0'
    malsvc_persistence:
        ServiceFileName: '* net user *'
    malsvc_others:
        ServiceName:
            - 'pwdump*'
            - 'gsecdump*'
            - 'cachedump*'
    condition: selection and 1 of malsvc_*
falsepositives: 
    - Penetration testing
level: critical
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Malicious Service Installations`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity`
			`author: Florian Roth`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.persistence`
			`- attack.privilege_escalation`
			`- attack.t1050`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2013-09-005`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID: 7045`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_wce:`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`ServiceName:`
			`- 'WCESERVICE'`
			`- 'WCE SERVICE'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_paexec:`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`ServiceFileName: '\PAExec'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_winexe:`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`ServiceFileName: 'winexesvc.exe*'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_pwdumpx:`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`ServiceFileName: '*\DumpSvc.exe'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_wannacry:`
WannaCry Service Install 2017-05-15 14:06:16 +00:00			`ServiceName: 'mssecsvc2.0'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_persistence:`
Service install - net user persistence 2017-08-16 13:16:41 +00:00			`ServiceFileName: '* net user *'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`malsvc_others:`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`ServiceName:`
			`- 'pwdump*'`
			`- 'gsecdump*'`
			`- 'cachedump*'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`condition: selection and 1 of malsvc_*`
Rules: Password dumper activity and lateral movement 2017-03-27 13:20:50 +00:00			`falsepositives:`
			`- Penetration testing`
			`level: critical`