2017-03-27 13:20:50 +00:00
|
|
|
title: Malicious Service Installs
|
|
|
|
|
description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
|
|
|
|
|
author: Florian Roth
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: system
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID: 7045
|
|
|
|
|
wce:
|
|
|
|
|
ServiceName:
|
|
|
|
|
- 'WCESERVICE'
|
|
|
|
|
- 'WCE SERVICE'
|
|
|
|
|
paexec:
|
|
|
|
|
ServiceFileName: '*\PAExec*'
|
|
|
|
|
winexe:
|
|
|
|
|
ServiceFileName: 'winexesvc.exe*'
|
|
|
|
|
pwdumpx:
|
|
|
|
|
ServiceFileName: '*\DumpSvc.exe'
|
2017-05-15 14:06:16 +00:00
|
|
|
wannacry:
|
|
|
|
|
ServiceName: 'mssecsvc2.0'
|
2017-08-16 13:16:41 +00:00
|
|
|
persistence:
|
|
|
|
|
ServiceFileName: '* net user *'
|
2017-03-27 13:20:50 +00:00
|
|
|
others:
|
|
|
|
|
ServiceName:
|
|
|
|
|
- 'pwdump*'
|
|
|
|
|
- 'gsecdump*'
|
|
|
|
|
- 'cachedump*'
|
2017-08-16 13:16:41 +00:00
|
|
|
condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
|
2017-03-27 13:20:50 +00:00
|
|
|
falsepositives:
|
|
|
|
|
- Penetration testing
|
|
|
|
|
level: critical
|
