SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
Sigma rule (View on GitHub)
1title: SCM Database Privileged Operation
2id: dae8171c-5ec6-4396-b210-8466585b53e9
3status: test
4description: Detects non-system users performing privileged operation os the SCM database
5references:
6 - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
8date: 2019-08-15
9modified: 2022-09-18
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1548
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4674
20 ObjectType: 'SC_MANAGER OBJECT'
21 ObjectName: 'servicesactive'
22 PrivilegeList: 'SeTakeOwnershipPrivilege'
23 filter:
24 SubjectLogonId: '0x3e4'
25 ProcessName|endswith: ':\Windows\System32\services.exe'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: medium
References
-
Analytics A few initial ideas to explore your data and validate your detection logic: Analytic I Detects non-system users failing to get a handle of the SCM database. Data source Event Provider Rel...
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- CA Policy Removed by Non Approved Actor