LoFP / legitimate administrator or user creates a service for legitimate reasons.

Techniques

• t1543
• t1543.003

Sample rules

New Service Creation Using Sc.EXE

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects the creation of a new service using the “sc.exe” utility.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - create
  - binPath
  Image|endswith: \sc.exe

New Service Creation Using PowerShell

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects the creation of a new service using powershell.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - New-Service
  - -BinaryPathName