Windows PowerShell scripts installed as services
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects PowerShell scripts being installed as Windows services, which can be used for persistence and privilege escalation.
Strategy
This rule monitors Windows event logs for service installation events that reference PowerShell. It specifically looks for Windows Event ID 4697 (Service Installation) where the service name contains PowerShell-identifiable strings. Installing PowerShell scripts as services is uncommon in legitimate administrative scenarios and is often used by attackers as a persistence mechanism.
Triage & Response
- Examine the service details on
{{host}} to verify the PowerShell service installation and identify the exact command or script being executed. - Identify the user account that installed the service and determine if this was an authorized administrative action.
- Review the content of the PowerShell script being executed by the service to understand its functionality and intent.
- Check if the service was installed remotely, which would be a stronger indicator of malicious activity.
- Analyze any network connections established by the PowerShell service for potential command and control activities.
- Reset credentials for any accounts involved in installing unauthorized services.
