[metadata] creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/06/22" [rule] author = ["Elastic"] description = """ Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. """ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] type = "eql" query = ''' sequence by process.entity_id with maxspan = 1m [process where host.os.type == "windows" and event.type == "start" and (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and process.args : ("create", "config", "failure", "start")] [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"] ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"