security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3b305d30030d272561ba2a48dfddfc7adc9ffcdb
sigma-rules/rules/windows/execution_local_service_commands.toml
T

41 lines
1005 B
TOML
Raw Normal View History

Populate rules/ directory.
2020-06-29 22:57:00 -06:00
[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
lateral movement but will be noisy if commonly done by admins.
"""
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Local Service Commands"
risk_score = 21
rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"
query = '''
event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:(config or create or failure or start)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue Copy Permalink