security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e240f9e793d7c24942e4bbe9c8bfceca8d03136
sigma-rules/rules/windows/lateral_movement_cmd_service.toml
T
Jonhnathan d52c0d2257 [Rule Tuning] Remove "process_started" from Windows Rules (#2238) 
* [Rule Tuning] Remove "process_started" from Windows Rules

* Additional, pending ones

* Update defense_evasion_code_injection_conhost.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2022-09-19 13:06:30 -05:00

82 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/09/02"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/09/15"
[rule]
author = ["Elastic"]
description = """
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
lateral movement but will be noisy if commonly done by admins.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Service Command Lateral Movement"
risk_score = 21
rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
type = "eql"
query = '''
sequence by process.entity_id with maxspan = 1m
[process where event.type == "start" and
(process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
process.args : ("create", "config", "failure", "start")]
[network where process.name : "sc.exe" and destination.ip != "127.0.0.1"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1569"
name = "System Services"
reference = "https://attack.mitre.org/techniques/T1569/"
[[rule.threat.technique.subtechnique]]
id = "T1569.002"
name = "Service Execution"
reference = "https://attack.mitre.org/techniques/T1569/002/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink