SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
Sigma rule (View on GitHub)
1title: SCM Database Privileged Operation
2id: dae8171c-5ec6-4396-b210-8466585b53e9
3status: test
4description: Detects non-system users performing privileged operation os the SCM database
5references:
6 - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
7author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
8date: 2019-08-15
9modified: 2022-09-18
10tags:
11 - attack.privilege-escalation
12 - attack.t1548
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4674
19 ObjectType: 'SC_MANAGER OBJECT'
20 ObjectName: 'servicesactive'
21 PrivilegeList: 'SeTakeOwnershipPrivilege'
22 filter:
23 SubjectLogonId: '0x3e4'
24 ProcessName|endswith: ':\Windows\System32\services.exe'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: medium
References
-
Analytics A few initial ideas to explore your data and validate your detection logic: Analytic I Detects non-system users failing to get a handle of the SCM database. Data source Event Provider Rel...
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- COM Hijack via Sdclt