feat(rules): Add Executable file dropped by an unsigned service DLL rule

rabbitstack · rabbitstack · commit fd099e9d1b56 · 2025-04-04T23:57:24.000+02:00
Identifies the loading of an unsigned DLL by svchost process followed by creating an executable file. Adversaries may rely on Windows Services to repeatedly execute malicious payloads as part of persistence.
diff --git a/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml b/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml
@@ -0,0 +1,37 @@
+name: Executable file dropped by an unsigned service DLL
+id: 3e29da58-0fc4-44c0-91c0-0dfc6af87e9d
+version: 1.0.0
+description: |
+  Identifies the loading of an unsigned DLL by svchost process followed by creating an
+  executable file. Adversaries may rely on Windows Services to repeatedly execute malicious 
+  payloads as part of persistence.
+labels:
+  tactic.id: TA0003
+  tactic.name: Persistence
+  tactic.ref: https://attack.mitre.org/tactics/TA0003/
+  technique.id: T1543
+  technique.name: Create or Modify System Process
+  technique.ref: https://attack.mitre.org/techniques/T1543/
+  subtechnique.id: T1543.003
+  subtechnique.name: Windows Service
+  subtechnique.ref: https://attack.mitre.org/techniques/T1543/003/
+references:
+  - https://grzegorztworek.medium.com/persistence-with-windows-services-1b21579f0ff3
+  - https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain
+
+condition: >
+  sequence
+  maxspan 3m
+    |load_unsigned_dll and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe')| as e1
+    |create_file and kevt.pid != 4 and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe')
+      and
+     (file.extension iin ('.exe', '.dll', '.com', '.js', '.vbs', '.cmd', '.bat', '.vbe') or file.is_exec or file.is_dll or file.is_driver)
+      and
+     thread.callstack.symbols iin (concat($e1.image.name, '!ServiceMain'))
+    |
+
+output: >
+  Service %1.ps.cmdline loaded an unsigned DLL %1.image.path and subsequently dropped an executable file %2.file.path
+severity: high
+
+min-engine-version: 2.2.0
