title: PowerShell Scripts Installed as Services
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
description: Detects powershell script installed as a Service
status: experimental
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2021/09/21
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    service_creation:
        EventID: 7045
    powershell_as_service:
        ImagePath|contains: 
          - 'powershell'
          - 'pwsh'
    condition: service_creation and powershell_as_service
falsepositives:
    - Unknown
level: high