installation of a service

t1543
t1543.003
windows
sigma

Techniques

t1543
t1543.003

Sample rules

ServiceDll Hijack

source: sigma
technicques:
- t1543
- t1543.003

Description

Detects changes to the “ServiceDLL” value related to a service in the registry. This is often used as a method of persistence.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_domain_controller:
  Details: '%%systemroot%%\system32\ntdsa.dll'
  Image: C:\Windows\system32\lsass.exe
  TargetObject|endswith: \Services\NTDS\Parameters\ServiceDll
filter_main_poqexec:
  Image: C:\Windows\System32\poqexec.exe
filter_main_printextensionmanger:
  Details: C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll
filter_optional_safetica:
  Details: C:\Windows\System32\STAgent.dll
  Image|endswith: \regsvr32.exe
selection:
  TargetObject|contains|all:
  - \System\
  - ControlSet
  - \Services\
  TargetObject|endswith: \Parameters\ServiceDll