security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create win_svcctl_remote_service.yml

Browse Source
This commit is contained in:
sbousseaden
2019-04-03 13:58:20 +02:00
committed by GitHub
parent 32c6b34746
commit d62bc41bfb
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_svcctl_remote_service.yml
+22
View File
@@ -0,0 +1,22 @@
title: Remote Service Activity Detected via SVCCTL named pipe
description: Detects remote remote service activity via remote access to the svcctl named pipe
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
tags:
- attack.lateral_movement
- attack.persistence
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: svcctl
Accesses: '*WriteData*'
condition: selection
falsepositives:
- pentesting
level: medium