Merge pull request #1629 from leegengyu/patch-4

Update win_mal_service_installs.yml - Add service & event ID

rules/windows/builtin/win_mal_service_installs.yml

@@ -1,9 +1,13 @@
 title: Malicious Service Installations
 id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
-description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
+description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
 author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
-modified: 2021/05/27
+modified: 2021/07/06
+references:
+    - https://awakesecurity.com/blog/threat-hunting-for-paexec/
+    - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
+    - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -18,13 +22,17 @@ logsource:
     service: system
 detection:
     selection:
-        EventID: 7045
+        EventID:
+            - 4697
+            - 7045
     malsvc_paexec:
         ServiceFileName|contains: '\PAExec'
     malsvc_wannacry:
         ServiceName: 'mssecsvc2.0'
     malsvc_persistence:
         ServiceFileName|contains: 'net user'
+    malsvc_apt29:
+        ServiceName: 'javamtsup'
     condition: selection and 1 of malsvc_*
 falsepositives:
     - Penetration testing