Service Command Lateral Movement

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
 13lateral movement but will be noisy if commonly done by admins.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "logs-endpoint.events.network-*",
 19    "winlogbeat-*",
 20    "logs-windows.sysmon_operational-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Service Command Lateral Movement"
 25risk_score = 21
 26rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
 27severity = "low"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: Windows",
 31    "Use Case: Threat Detection",
 32    "Tactic: Lateral Movement",
 33    "Data Source: Elastic Defend",
 34    "Data Source: Sysmon",
 35    "Resources: Investigation Guide",
 36]
 37type = "eql"
 38
 39query = '''
 40sequence by process.entity_id with maxspan = 1m
 41  [process where host.os.type == "windows" and event.type == "start" and
 42     (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
 43      process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
 44      process.args : ("create", "config", "failure", "start")]
 45  [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"]
 46'''
 47note = """## Triage and analysis
 48
 49> **Disclaimer**:
 50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 51
 52### Investigating Service Command Lateral Movement
 53
 54The Service Control Manager in Windows allows for the management of services, which are crucial for system operations. Adversaries exploit this by using `sc.exe` to manipulate services on remote systems, facilitating lateral movement. The detection rule identifies suspicious `sc.exe` usage by monitoring for service-related commands targeting remote hosts, which may indicate unauthorized access attempts. This rule helps differentiate between legitimate administrative actions and potential threats.
 55
 56### Possible investigation steps
 57
 58- Review the process details to confirm the use of sc.exe, focusing on the process.entity_id and process.args fields to understand the specific service-related actions attempted.
 59- Examine the network activity associated with the sc.exe process, particularly the destination.ip field, to identify the remote host targeted by the command and assess if it is a legitimate administrative target.
 60- Check the event logs on the remote host for any corresponding service creation, modification, or start events to verify if the actions were successfully executed and to gather additional context.
 61- Investigate the user account associated with the sc.exe process to determine if it has the necessary permissions for such actions and if the account usage aligns with expected behavior.
 62- Correlate the alert with other recent alerts or logs involving the same process.entity_id or destination.ip to identify any patterns or additional suspicious activities that may indicate a broader attack campaign.
 63
 64### False positive analysis
 65
 66- Routine administrative tasks using sc.exe on remote systems can trigger false positives. Identify and document regular maintenance schedules and responsible personnel to differentiate these from potential threats.
 67- Automated scripts or management tools that use sc.exe for legitimate service management may cause alerts. Review and whitelist these scripts or tools by their process entity IDs to reduce noise.
 68- Internal IT operations often involve creating or modifying services remotely. Establish a baseline of normal activity patterns and exclude these from alerts by setting exceptions for known IP addresses or user accounts.
 69- Software deployment processes that involve service configuration changes can be mistaken for lateral movement. Coordinate with software deployment teams to understand their processes and exclude these activities from detection.
 70- Regularly review and update the exclusion list to ensure it reflects current operational practices and does not inadvertently allow malicious activity.
 71
 72### Response and remediation
 73
 74- Isolate the affected system from the network to prevent further lateral movement and unauthorized access to other systems.
 75- Terminate any suspicious `sc.exe` processes identified on the affected system to halt any ongoing malicious activity.
 76- Review and reset credentials for any accounts that were used in the suspicious `sc.exe` activity to prevent unauthorized access.
 77- Conduct a thorough examination of the affected system for any additional signs of compromise, such as unauthorized services or changes to existing services.
 78- Restore the affected system from a known good backup if any malicious modifications or persistent threats are detected.
 79- Implement network segmentation to limit the ability of adversaries to move laterally across the network in the future.
 80- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1021"
 87name = "Remote Services"
 88reference = "https://attack.mitre.org/techniques/T1021/"
 89
 90
 91[rule.threat.tactic]
 92id = "TA0008"
 93name = "Lateral Movement"
 94reference = "https://attack.mitre.org/tactics/TA0008/"
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1543"
 99name = "Create or Modify System Process"
100reference = "https://attack.mitre.org/techniques/T1543/"
101[[rule.threat.technique.subtechnique]]
102id = "T1543.003"
103name = "Windows Service"
104reference = "https://attack.mitre.org/techniques/T1543/003/"
105
106
107
108[rule.threat.tactic]
109id = "TA0003"
110name = "Persistence"
111reference = "https://attack.mitre.org/tactics/TA0003/"
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1569"
116name = "System Services"
117reference = "https://attack.mitre.org/techniques/T1569/"
118[[rule.threat.technique.subtechnique]]
119id = "T1569.002"
120name = "Service Execution"
121reference = "https://attack.mitre.org/techniques/T1569/002/"
122
123
124
125[rule.threat.tactic]
126id = "TA0002"
127name = "Execution"
128reference = "https://attack.mitre.org/tactics/TA0002/"