valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
89e43c1059
SigmaHQ/rules/windows/builtin/win_malicious_service_install.yml

23 lines
555 B
YAML
Raw Blame History

title: Malicious Service Install
description: This method detects well-known keywords of malicious services in the Windows System Eventlog
author: Florian Roth
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 7045
- 4697
keywords:
- 'WCE SERVICE'
- 'WCESERVICE'
- 'DumpSvc'
quarkspwdump:
EventID: 16
HiveName: '*\AppData\Local\Temp\SAM*.dmp'
condition: ( selection and keywords ) or quarkspwdump
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink