LoFP / legitimate administrator or user creates a service for legitimate reasons.

Techniques

Sample rules

New Service Creation Using Sc.EXE

source: sigma
technicques:
- t1543
- t1543.003

Description

Detects the creation of a new service using the “sc.exe” utility.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_dropbox:
  ParentImage|endswith: \Dropbox.exe
  ParentImage|startswith:
  - C:\Program Files (x86)\Dropbox\Client\
  - C:\Program Files\Dropbox\Client\
selection:
  CommandLine|contains|all:
  - create
  - binPath
  Image|endswith: \sc.exe

New Service Creation Using PowerShell

source: sigma
technicques:
- t1543
- t1543.003

Description

Detects the creation of a new service using powershell.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - New-Service
  - -BinaryPathName