Service Binary in Suspicious Folder

Hunt Hypothesis

Detect the creation of a service with a service binary located in a suspicious directory

Detection Rule

Sigma (Original)

title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
    - id: c0abc838-36b0-47c9-b3b3-a90c39455382
      type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_service_start:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Start'
        Image|contains:
            - '\Users\Public\'
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
        Details:
            - 'DWORD (0x00000000)'  # boot
            - 'DWORD (0x00000001)'  # System
            - 'DWORD (0x00000002)'  # Automatic
            # 3 - Manual , 4 - Disabled
    selection_service_imagepath:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - '\Users\Public\'
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
    filter_optional_avast:
        Image|contains|all: # Filter FP with Avast software
            - '\Common Files\'
            - '\Temp\'
    filter_optional_mbamservice:
        TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
        Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
        Image: 'C:\Windows\system32\services.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where ((RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*" and RegistryKey endswith "\\Start" and (ActingProcessName contains "\\Users\\Public\\" or ActingProcessName contains "\\Perflogs\\" or ActingProcessName contains "\\ADMIN$\\" or ActingProcessName contains "\\Temp\\") and (RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)"))) or (RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*" and RegistryKey endswith "\\ImagePath" and (RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Perflogs\\" or RegistryValueData contains "\\ADMIN$\\" or RegistryValueData contains "\\Temp\\"))) and (not(((ActingProcessName contains "\\Common Files\\" and ActingProcessName contains "\\Temp\\") or (RegistryKey endswith "\\CurrentControlSet\\Services\\MBAMInstallerService\\ImagePath" and RegistryValueData endswith "\\AppData\\Local\\Temp\\MBAMInstallerService.exe\"" and ActingProcessName =~ "C:\\Windows\\system32\\services.exe"))))

Required Data Sources

Sentinel Table	Notes
`imRegistry`	Ensure this data connector is enabled

Service Binary in Suspicious Folder

Hunt Hypothesis

Detection Rule

Sigma (Original)

KQL (Azure Sentinel)

Required Data Sources

False Positive Guidance

MITRE ATT&CK Context

References