security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_service_execution.yml
T

26 lines
855 B
YAML
Raw Normal View History

Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
title: Service Execution
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
Change status for old rules
2021-11-27 11:33:14 +01:00
status: test
Updated ART reference links from .yaml to .md and sub-technique links.
2021-07-06 17:21:22 +08:00
description: Detects manual service execution (start) via system utilities.
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
references:
Change status for old rules
2021-11-27 11:33:14 +01:00
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
date: 2019/10/21
modified: 2021/11/27
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
logsource:
Change status for old rules
2021-11-27 11:33:14 +01:00
category: process_creation
product: windows
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
detection:
Change status for old rules
2021-11-27 11:33:14 +01:00
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
condition: selection
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
falsepositives:
Change status for old rules
2021-11-27 11:33:14 +01:00
- Legitimate administrator or user executes a service for legitimate reasons.
Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00
level: low
tags:
Change status for old rules
2021-11-27 11:33:14 +01:00
- attack.execution
- attack.t1569.002
Reference in New Issue Copy Permalink