
Summary
This detection rule focuses on identifying potentially malicious activities related to the creation of new Windows services using the 'sc' command or PowerShell's 'New-Service' cmdlet. It looks for command executions that involve suspicious binary paths indicative of persistence mechanisms often used by malware. Notably, if a new service is created exploiting common scripting environments or directories that are frequently used for malware deployment (e.g., Downloads, Desktop, TEMP, etc.), this rule will trigger an alert. The high severity level underscores the significance of monitoring such activities as they can lead to credential theft or privilege escalation in an enterprise setting. The rule utilizes specific command line patterns to discern between legitimate and potentially harmful service creation attempts.
Categories
- Windows
- Endpoint
Data Sources
- Process
ATT&CK Techniques
- T1543.003
Created: 2022-07-14