← Back to SOC feed Coverage →

PowerShell as a Service in Registry

sigma HIGH SigmaHQ
T1569.002
imRegistry
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects that a powershell code is written to the registry as a service.

Detection Rule

Sigma (Original)

title: PowerShell as a Service in Registry
id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
status: test
description: Detects that a powershell code is written to the registry as a service.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-08-17
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\ImagePath" and (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh")

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\ImagePath" and (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh")

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml