sigma-rules/rules/windows/execution_local_service_commands.toml

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"

[rule]
author = ["Elastic"]
description = """
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
lateral movement but will be noisy if commonly done by admins.
"""
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Local Service Commands"
risk_score = 21
rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"

query = '''
event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:(config or create or failure or start)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"