[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"

[rule]
author = ["Elastic"]
description = """
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
lateral movement but will be noisy if commonly done by admins.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Local Service Commands"
risk_score = 21
rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"

query = '''
event.category:process and event.type:(start or process_started) and
  process.name:sc.exe and
  process.args:(config or create or failure or start)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"