Detection rules › By event
Microsoft-Windows-Security-Auditing Event ID 4697
Sigma (27)
- CobaltStrike Service Installations - Security
- CosmicDuke Service Installation
- Credential Dumping Tools Service Execution - Security
- Encoded PowerShell payload deployed via service
- HybridConnectionManager Service Installation
- Impacket SMBexec service registration (native)
- Invoke-Obfuscation CLIP+ Launcher - Security
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security
- Invoke-Obfuscation Obfuscated IEX Invocation - Security
- Invoke-Obfuscation RUNDLL LAUNCHER - Security
- Invoke-Obfuscation STDIN+ Launcher - Security
- Invoke-Obfuscation VAR+ Launcher - Security
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
- Invoke-Obfuscation Via Stdin - Security
- Invoke-Obfuscation Via Use Clip - Security
- Invoke-Obfuscation Via Use MSHTA - Security
- Invoke-Obfuscation Via Use Rundll32 - Security
- Metasploit Or Impacket Service Installation Via SMB PsExec
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Mimikatz driver deployed via service
- PowerShell Scripts Installed as Services - Security
- PSexec service installation
- RDP session hijack via service creation abuse
- Remote Access Tool Services Have Been Installed - Security
- Service Installed By Unusual Client - Security
- Tap Driver Installation - Security
- Windows Pcap Drivers