title: PowerShell Scripts Installed as Services
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
description: Detects powershell script installed as a Service
status: experimental
author: oscd.community, Natalia Shornikova
date: 2020/10/06
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
tag:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
detection:
    selection1:
      EventID:
        - 7045
        - 4697
      ServiceFileName|contains: 
        - 'powershell'
        - 'pwsh'
    selection2:
      EventID: 13
      TargetObject: '*\Services\*\ImagePath'
      Details|contains:
        - 'powershell'
        - 'pwsh'
    condition: selection1 or selection2
falsepositives: Unknown
level: high