heroui logo

Service Installed By Unusual Client - System

Sigma Rules

View Source
Summary
This rule, titled 'Service Installed By Unusual Client - System', aims to detect potentially malicious activities related to service installations on Windows systems. Specifically, it identifies instances where a service is installed with an abnormal client process, defined by either having a Process ID (PID) of 0 or where the parent process has a PID of 0. Such conditions are considered unusual and could indicate privilege escalation attacks or nefarious activities, as normal user-initiated service installations should not generally involve a PID of 0. The rule utilizes the Windows Event ID 7045, which is generated by the Service Control Manager when a new service is created. Detection is based on filtering these events to identify any associated with the aforementioned conditions. Given its focus on potential privilege escalation, this rule is categorized under attack techniques related to unauthorized service manipulation.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Service
  • Logon Session
Created: 2022-09-15