Service Command Lateral Movement

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
13lateral movement but will be noisy if commonly done by admins.
14"""
15from = "now-9m"
16index = [
17    "logs-endpoint.events.process-*",
18    "logs-endpoint.events.network-*",
19    "winlogbeat-*",
20    "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Service Command Lateral Movement"
25risk_score = 21
26rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
27severity = "low"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Tactic: Lateral Movement",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon",
35]
36type = "eql"
37
38query = '''
39sequence by process.entity_id with maxspan = 1m
40  [process where host.os.type == "windows" and event.type == "start" and
41     (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
42      process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
43      process.args : ("create", "config", "failure", "start")]
44  [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"]
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1021"
52name = "Remote Services"
53reference = "https://attack.mitre.org/techniques/T1021/"
54
55
56[rule.threat.tactic]
57id = "TA0008"
58name = "Lateral Movement"
59reference = "https://attack.mitre.org/tactics/TA0008/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1543"
64name = "Create or Modify System Process"
65reference = "https://attack.mitre.org/techniques/T1543/"
66[[rule.threat.technique.subtechnique]]
67id = "T1543.003"
68name = "Windows Service"
69reference = "https://attack.mitre.org/techniques/T1543/003/"
70
71
72
73[rule.threat.tactic]
74id = "TA0003"
75name = "Persistence"
76reference = "https://attack.mitre.org/tactics/TA0003/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1569"
81name = "System Services"
82reference = "https://attack.mitre.org/techniques/T1569/"
83[[rule.threat.technique.subtechnique]]
84id = "T1569.002"
85name = "Service Execution"
86reference = "https://attack.mitre.org/techniques/T1569/002/"
87
88
89
90[rule.threat.tactic]
91id = "TA0002"
92name = "Execution"
93reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top