2023-01-29 19:15:17 +01:00
[ metadata ]
2024-05-23 00:45:10 +05:30
bypass_bbr_timing = true
2023-01-29 19:15:17 +01:00
creation_date = "2023/01/24"
2024-10-22 00:17:30 +05:30
integration = [ "windows" , "endpoint" , "system" ]
2023-01-29 19:15:17 +01:00
maturity = "production"
2025-12-18 16:01:58 +00:00
updated_date = "2025/12/17"
2023-01-29 19:15:17 +01:00
[ rule ]
author = [ "Elastic" ]
2023-10-11 09:43:26 +02:00
building_block_type = "default"
2023-01-29 19:15:17 +01:00
description = "" "
2024-05-23 00:45:10 +05:30
Detects the usage of commonly used system service discovery techniques, which attackers may use during the
reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or
escalate privileges.
2023-01-29 19:15:17 +01:00
" ""
from = "now-9m"
2025-03-26 20:34:14 +05:30
index = [
"endgame-*" ,
"logs-endpoint.events.process-*" ,
"logs-system.security*" ,
"logs-windows.*" ,
"winlogbeat-*" ,
]
2023-01-29 19:15:17 +01:00
language = "eql"
license = "Elastic License v2"
name = "System Service Discovery through built-in Windows Utilities"
risk_score = 21
rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55"
severity = "low"
2024-05-23 00:45:10 +05:30
tags = [
"Domain: Endpoint" ,
"OS: Windows" ,
"Use Case: Threat Detection" ,
"Tactic: Discovery" ,
"Data Source: Elastic Defend" ,
"Data Source: Elastic Endgame" ,
"Rule Type: BBR" ,
2025-02-19 12:54:31 -03:00
"Data Source: Windows Security Event Logs" ,
2024-05-23 00:45:10 +05:30
]
2023-01-29 19:15:17 +01:00
timestamp_override = "event.ingested"
type = "eql"
query = '' '
2025-12-18 16:01:58 +00:00
process where host.os.type == "windows" and event.type == "start" and process.parent.executable != null and
2023-01-29 19:15:17 +01:00
(
2023-10-11 09:43:26 +02:00
((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and
2025-12-18 16:01:58 +00:00
not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2 and
not process.parent.args : ("*.bat", "*netlogon*", "\\\\*")) or
((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*") and not process.parent.args : "*.bat") or
((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc" and not process.command_line : "*\\Windows\\TEMP\\nessus_task_list*") or
2023-08-17 13:00:50 -03:00
(process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe")
2025-12-18 16:01:58 +00:00
) and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
not process.parent.executable in
("C:\\Program Files\\AzureConnectedMachineAgent\\himds.exe",
"C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe",
"C:\\Program Files\\Varian\\DICOMServices\\VMS.DICOMServices.ServiceFW.GenericControlledServiceHost.exe",
"C:\\Senior\\HCM\\jdk-11.0.2\\bin\\java.exe",
"D:\\biomerieux\\programs\\ServiceMonitor\\bin\\MylaServiceMonitor.exe",
"C:\\ViewPowerPro\\openJDK\\bin\\javaw.exe",
"C:\\ServiceNow MID Server mid-server-autosports-prod\\agent\\jre\\bin\\java.exe") and
not process.command_line in ("sc queryex SCardSvr",
"sc query \"Axway_Integrator\" ",
"sc query \"Delta enteliVAULT PostgreSQL\" ",
"sc query \"WERMA-WIN-Connector\" ",
"sc query _EWSSynchronizationServer_JDE ",
"sc query SchneiderUPSMySQL")
2023-01-29 19:15:17 +01:00
' ''
2024-05-23 00:45:10 +05:30
2023-01-29 19:15:17 +01:00
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ [ rule . threat . technique ] ]
id = "T1007"
name = "System Service Discovery"
reference = "https://attack.mitre.org/techniques/T1007/"
2024-05-23 00:45:10 +05:30
2023-01-29 19:15:17 +01:00
[ rule . threat . tactic ]
id = "TA0007"
name = "Discovery"
2023-10-11 09:43:26 +02:00
reference = "https://attack.mitre.org/tactics/TA0007/"
2024-05-23 00:45:10 +05:30
