Windows PowerShell scripts installed as services

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1569-system-services

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects PowerShell scripts being installed as Windows services, which can be used for persistence and privilege escalation.

Strategy

This rule monitors Windows event logs for service installation events that reference PowerShell. It specifically looks for Windows Event ID 4697 (Service Installation) where the service name contains PowerShell-identifiable strings. Installing PowerShell scripts as services is uncommon in legitimate administrative scenarios and is often used by attackers as a persistence mechanism.

Triage & Response

  • Examine the service details on {{host}} to verify the PowerShell service installation and identify the exact command or script being executed.
  • Identify the user account that installed the service and determine if this was an authorized administrative action.
  • Review the content of the PowerShell script being executed by the service to understand its functionality and intent.
  • Check if the service was installed remotely, which would be a stronger indicator of malicious activity.
  • Analyze any network connections established by the PowerShell service for potential command and control activities.
  • Reset credentials for any accounts involved in installing unauthorized services.