A newer version is available. For the latest information, see the
current release documentation.
Local Service Commandsedit
Identifies use of sc.exe
to create, modify, or start services on remote hosts.
This could be indicative of adversary lateral movement but will be noisy if
commonly done by admins.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 2 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Rule queryedit
event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:(config or create or failure or start)
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Rule version historyedit
- Version 2 (7.7.0 release)
-
Updated query, changed from:
event.action:"Process Create (rule: ProcessCreate)" and process.name:sc.exe and process.args:("create" or "config" or "failure" or "start")