mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
20 lines
588 B
YAML
20 lines
588 B
YAML
title: Rare Service Installs
|
|
description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
|
|
status: experimental
|
|
author: Florian Roth
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.t1050
|
|
logsource:
|
|
product: windows
|
|
service: system
|
|
detection:
|
|
selection:
|
|
EventID: 7045
|
|
timeframe: 7d
|
|
condition: selection | count() by ServiceFileName < 5
|
|
falsepositives:
|
|
- Software installation
|
|
- Software updates
|
|
level: low |