Service Command Lateral Movement

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
11lateral movement but will be noisy if commonly done by admins.
12"""
13from = "now-9m"
14index = [
15    "logs-endpoint.events.process-*",
16    "logs-endpoint.events.network-*",
17    "winlogbeat-*",
18    "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Service Command Lateral Movement"
23risk_score = 21
24rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc"
25severity = "low"
26tags = [
27    "Domain: Endpoint",
28    "OS: Windows",
29    "Use Case: Threat Detection",
30    "Tactic: Lateral Movement",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33]
34type = "eql"
35
36query = '''
37sequence by process.entity_id with maxspan = 1m
38  [process where host.os.type == "windows" and event.type == "start" and
39     (process.name : "sc.exe" or process.pe.original_file_name : "sc.exe") and
40      process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*") and
41      process.args : ("create", "config", "failure", "start")]
42  [network where host.os.type == "windows" and process.name : "sc.exe" and destination.ip != "127.0.0.1"]
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1021"
50name = "Remote Services"
51reference = "https://attack.mitre.org/techniques/T1021/"
52
53
54[rule.threat.tactic]
55id = "TA0008"
56name = "Lateral Movement"
57reference = "https://attack.mitre.org/tactics/TA0008/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1543"
62name = "Create or Modify System Process"
63reference = "https://attack.mitre.org/techniques/T1543/"
64[[rule.threat.technique.subtechnique]]
65id = "T1543.003"
66name = "Windows Service"
67reference = "https://attack.mitre.org/techniques/T1543/003/"
68
69
70
71[rule.threat.tactic]
72id = "TA0003"
73name = "Persistence"
74reference = "https://attack.mitre.org/tactics/TA0003/"
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1569"
79name = "System Services"
80reference = "https://attack.mitre.org/techniques/T1569/"
81[[rule.threat.technique.subtechnique]]
82id = "T1569.002"
83name = "Service Execution"
84reference = "https://attack.mitre.org/techniques/T1569/002/"
85
86
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top