Techniques
Sample rules
Malicious Powershell Executed As A Service
- source: splunk
- technicques:
- T1569
- T1569.002
Description
This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell.
Detection logic
`wineventlog_system` EventCode=7045
| eval l_ImagePath=lower(ImagePath)
| regex l_ImagePath="powershell[.\s]
|powershell_ise[.\s]
|pwsh[.\s]
|psexec[.\s]"
| regex l_ImagePath="-nop[rofile\s]+
|-w[indowstyle]*\s+hid[den]*
|-noe[xit\s]+
|-enc[odedcommand\s]+"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ImagePath ServiceName StartType ServiceType AccountName UserID dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `malicious_powershell_executed_as_a_service_filter`