security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e897a6760429ea46da15ebbca1609b62fd37fee9
sigma-rules/rules/windows/lateral_movement_cmd_service.toml
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

80 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/09/02"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
lateral movement but will be noisy if commonly done by admins.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Service Command Lateral Movement"
risk_score = 21
rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
type = "eql"
query = '''
sequence by process.entity_id with maxspan = 1m
[process where event.type in ("start", "process_started") and
(process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
process.args : ("create", "config", "failure", "start")]
[network where process.name : "sc.exe" and destination.ip != "127.0.0.1"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1569"
name = "System Services"
reference = "https://attack.mitre.org/techniques/T1569/"
[[rule.threat.technique.subtechnique]]
id = "T1569.002"
name = "Service Execution"
reference = "https://attack.mitre.org/techniques/T1569/002/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink