valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-09 02:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d7bd90cb24
SigmaHQ/rules/windows/builtin/win_rare_service_installs.yml

25 lines
670 B
YAML
Raw Normal View History

Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
title: Rare Service Installs
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae
description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious
services
Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
status: experimental
author: Florian Roth
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
date: 2017/03/08
Add tags to windows builtin rules
2018-07-24 05:50:32 +00:00
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1050
First Pass
2019-06-14 04:15:38 +00:00
- car.2013-09-005
Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
timeframe: 7d
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
condition: selection | count() by ServiceFileName < 5
falsepositives:
Rule: Rare Windows Service Installs
2017-03-08 18:09:34 +00:00
- Software installation
- Software updates
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
level: low
Reference in New Issue Copy Permalink