2021-07-07 02:33:26 +00:00
action : global
2020-02-16 22:24:00 +00:00
title : Malicious Service Installations
2021-05-27 19:06:07 +00:00
id : 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
2021-07-06 03:03:08 +00:00
description : Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
2020-02-16 22:24:00 +00:00
author : Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
date : 2017 /03/27
2021-07-06 07:50:23 +00:00
modified : 2021 /07/06
2021-07-06 03:03:08 +00:00
references :
- https://awakesecurity.com/blog/threat-hunting-for-paexec/
- https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
2020-02-16 22:24:00 +00:00
tags :
- attack.persistence
- attack.privilege_escalation
- attack.t1003
2020-08-24 23:09:17 +00:00
- attack.t1035 # an old one
- attack.t1050 # an old one
2020-02-16 22:24:00 +00:00
- car.2013-09-005
2020-06-16 20:46:08 +00:00
- attack.t1543.003
- attack.t1569.002
2021-07-07 02:33:26 +00:00
detection :
condition : selection and 1 of malsvc_*
falsepositives :
- Penetration testing
level : critical
---
2020-02-16 22:24:00 +00:00
logsource :
product : windows
service : system
detection :
selection :
2021-07-07 02:33:26 +00:00
EventID : 7045
2020-02-16 22:24:00 +00:00
malsvc_paexec :
ServiceFileName|contains : '\PAExec'
malsvc_wannacry :
ServiceName : 'mssecsvc2.0'
malsvc_persistence :
ServiceFileName|contains : 'net user'
2021-07-07 02:33:26 +00:00
malsvc_apt29 :
ServiceName : 'Java(TM) Virtual Machine Support Service'
---
logsource :
product : windows
service : security
detection :
selection :
EventID : 4697
2021-07-06 03:03:08 +00:00
malsvc_apt29 :
ServiceName : 'javamtsup'
