Service Command Lateral Movement
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
13lateral movement but will be noisy if commonly done by admins.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Service Command Lateral Movement"
20risk_score = 21
21rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence by process.entity_id with maxspan = 1m
28 [process where host.os.type == "windows" and event.type == "start" and
29 (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
30 process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
31 process.args : ("create", "config", "failure", "start")]
32 [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"]
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1021"
40name = "Remote Services"
41reference = "https://attack.mitre.org/techniques/T1021/"
42
43
44[rule.threat.tactic]
45id = "TA0008"
46name = "Lateral Movement"
47reference = "https://attack.mitre.org/tactics/TA0008/"
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1543"
52name = "Create or Modify System Process"
53reference = "https://attack.mitre.org/techniques/T1543/"
54[[rule.threat.technique.subtechnique]]
55id = "T1543.003"
56name = "Windows Service"
57reference = "https://attack.mitre.org/techniques/T1543/003/"
58
59
60
61[rule.threat.tactic]
62id = "TA0003"
63name = "Persistence"
64reference = "https://attack.mitre.org/tactics/TA0003/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1569"
69name = "System Services"
70reference = "https://attack.mitre.org/techniques/T1569/"
71[[rule.threat.technique.subtechnique]]
72id = "T1569.002"
73name = "Service Execution"
74reference = "https://attack.mitre.org/techniques/T1569/002/"
75
76
77
78[rule.threat.tactic]
79id = "TA0002"
80name = "Execution"
81reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Direct Outbound SMB Connection
- Execution via TSClient Mountpoint
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows