action: global
title: PowerShell Scripts Installed as Services
description: Detects powershell script installed as a Service
status: experimental
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2021/05/21
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
tags:
    - attack.execution
    - attack.t1569.002
detection:
    powershell_as_service:
        ServiceFileName|contains: 
          - 'powershell'
          - 'pwsh'
    condition: service_creation and powershell_as_service
falsepositives:
    - Unknown
level: high
---
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
logsource:
    product: windows
    service: system
detection:
    service_creation:
        EventID: 7045
---
id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073
logsource:
    product: windows
    service: sysmon
detection:
    service_creation:
        EventID: 6
---
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
logsource:
    product: windows
    service: security
detection:
    service_creation:
        EventID: 4697