MicroSOC
MB

Muath Al Badi

Security Analyst

Suspicious Service Installation

Detection Details
Comprehensive information about this detection rule

Description

This detection identifies suspicious service installation commands that may indicate an attacker attempting to establish persistence or escalate privileges. Windows services run with SYSTEM privileges by default, making them an attractive target for attackers. This detection focuses on service creation patterns that exhibit suspicious characteristics, such as unusual service paths, suspicious executable names, or command-line parameters that attempt to hide the true nature of the service.

Detection Details

Tool
Sigma
Category
Sigma
Severity
High
Status
Active

Metadata

ID
SIGMA-003
Author
Ahmed Al Balushi
Last Updated
2023-11-05

MITRE ATT&CK Techniques

T1543.003-Create or Modify System Process: Windows Service

False Positives

  • Legitimate service installations and updates
  • Software deployment activities
  • Administrative scripts that manage services
Detection Rule
View and export the detection rule

Tool-Specific Rule Format

title: Suspicious Service Installation
id: SIGMA-003
status: active
description: Detects suspicious service installation commands that may indicate persistence or privilege escalation.
author: Ahmed Al Balushi
date: 2023-11-05
modified: 2023-11-05
tags:
    - attack.t1543.003
logsource:
    product: windows
    category: system
detection:
    selection:
        EventID: 7045
        ServiceFileName|contains:
            - 'cmd.exe'
            - 'powershell.exe'
            - 'regsvr32.exe'
            - 'rundll32.exe'
    condition: selection
falsepositives:
    - Legitimate service installations and updates
    - Software deployment activities
    - Administrative scripts that manage services
level: high

Implementation Notes

This Sigma rule can be converted to various SIEM and EDR platforms using the Sigma converter. The rule detects specific patterns that may indicate malicious activity. Consider adding additional context or filters to reduce false positives in environments where these patterns might appear in legitimate use cases.

Alert Details

View Detection Rule
Investigation Guide
Step-by-step guide for investigating alerts

Why This Alert Fired

This Sigma rule detected detects suspicious service installation commands that may indicate persistence or privilege escalation.

Investigation Steps

  1. Identify which log source triggered the Sigma rule
  2. Review the raw log data that matched the detection criteria
    • Look for unusual patterns or deviations from normal behavior
    • Check if the activity is consistent with the user's role and typical activities
  3. Examine the context surrounding the matched event
  4. Check for related events using the same techniques or tactics
  5. Verify if the activity is consistent with normal operations

True Positive Indicators

  • Activity matches known malicious patterns
  • Unusual execution context or parameters
  • Activity from unexpected users or systems
  • Correlation with other suspicious events

False Positive Indicators

  • Legitimate service installations and updates
  • Software deployment activities
  • Administrative scripts that manage services

Recommended Response Actions

This is a high-severity detection and requires immediate attention.

  1. Isolate affected systems from the network
  2. Capture forensic evidence before any remediation
  3. Reset credentials for any compromised accounts
  4. Block any identified malicious IPs/domains at the firewall
  5. Initiate incident response procedures

Documentation & Evidence Collection

  • Document all investigation steps and findings in the case management system
  • Capture screenshots of relevant events and timelines
  • Export raw logs and preserve them as evidence
  • Document any systems accessed and actions taken during investigation
  • Record all remediation actions if a true positive is confirmed