Execution of ServiceUI.exe in Suspicious Location

Rule Info

Name
Execution of ServiceUI.exe in Suspicious Location
Author
MalGamy (Nextron Systems)
Description
Detects execution of ServiceUI.exe, a legitimate binary from the Microsoft Deployment Toolkit, potentially used for privilege escalation by running it outside of its expected directory.
Reference
https://secureyourit.co.uk/wp/2024/11/02/living-off-the-land/
Date
2024-11-06 00:00:00
Modified
None
Id
679a46e9-c40b-4a35-b233-2b60ca6b8489
Tags
attack.execution attack.persistence attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022