Service Command Lateral Movement
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
11lateral movement but will be noisy if commonly done by admins.
12"""
13from = "now-9m"
14index = [
15 "logs-endpoint.events.process-*",
16 "logs-endpoint.events.network-*",
17 "winlogbeat-*",
18 "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Service Command Lateral Movement"
23risk_score = 21
24rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
25severity = "low"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Lateral Movement",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33]
34type = "eql"
35
36query = '''
37sequence by process.entity_id with maxspan = 1m
38 [process where host.os.type == "windows" and event.type == "start" and
39 (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
40 process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
41 process.args : ("create", "config", "failure", "start")]
42 [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"]
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1021"
50name = "Remote Services"
51reference = "https://attack.mitre.org/techniques/T1021/"
52
53
54[rule.threat.tactic]
55id = "TA0008"
56name = "Lateral Movement"
57reference = "https://attack.mitre.org/tactics/TA0008/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1543"
62name = "Create or Modify System Process"
63reference = "https://attack.mitre.org/techniques/T1543/"
64[[rule.threat.technique.subtechnique]]
65id = "T1543.003"
66name = "Windows Service"
67reference = "https://attack.mitre.org/techniques/T1543/003/"
68
69
70
71[rule.threat.tactic]
72id = "TA0003"
73name = "Persistence"
74reference = "https://attack.mitre.org/tactics/TA0003/"
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1569"
79name = "System Services"
80reference = "https://attack.mitre.org/techniques/T1569/"
81[[rule.threat.technique.subtechnique]]
82id = "T1569.002"
83name = "Service Execution"
84reference = "https://attack.mitre.org/techniques/T1569/002/"
85
86
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell