security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a0bad54dbda170d5369f54ccede5f11f999da4de
blue-team-tools/rules/windows/process_creation/win_service_execution.yml
T

26 lines
883 B
YAML
Raw Normal View History

Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
title: Service Execution
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
status: experimental
description: Detects manual service execution (start) via system utilities
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
logsource:
category: process_creation
product: windows
detection:
selection:
fix: simplified rule with RE
2019-12-03 11:24:00 +01:00
Image|endswith:
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
- '\net.exe'
- '\net1.exe'
fix: simplified rule with RE
2019-12-03 11:24:00 +01:00
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
condition: selection
falsepositives:
- Legitimate administrator or user executes a service for legitimate reason
level: low
tags:
- attack.execution
- attack.t1035
Reference in New Issue Copy Permalink