Techniques
Sample rules
Malicious Powershell Executed As A Service
- source: splunk
- technicques:
- T1569
- T1569.002
Description
The following analytic identifies the execution of malicious PowerShell commands or payloads via the Windows SC.exe utility. It detects this activity by analyzing Windows System logs (EventCode 7045) and filtering for specific PowerShell-related patterns in the ImagePath field. This behavior is significant because it indicates potential abuse of the Windows Service Control Manager to run unauthorized or harmful scripts, which could lead to system compromise. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment.
Detection logic
`wineventlog_system` EventCode=7045
| eval l_ImagePath=lower(ImagePath)
| regex l_ImagePath="powershell[.\s]
|powershell_ise[.\s]
|pwsh[.\s]
|psexec[.\s]"
| regex l_ImagePath="-nop[rofile\s]+
|-w[indowstyle]*\s+hid[den]*
|-noe[xit\s]+
|-enc[odedcommand\s]+"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `malicious_powershell_executed_as_a_service_filter`