Remotely Started Services via RPCedit

Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators."

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Lateral Movement

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

sequence with maxspan=1s
   [network where : "services.exe" and
      network.direction : ("incoming", "ingress") and network.transport == "tcp" and
      source.port >= 49152 and destination.port >= 49152 and source.address not in ("", "::1")
   ] by, process.entity_id

   [process where event.type in ("start", "process_started") and : "services.exe" and
       not ( : "svchost.exe" and process.args : "tiledatamodelsvc") and
       not ( : "msiexec.exe" and process.args : "/V")

    /* uncomment if psexec is noisy in your environment */
    /* and not : "PSEXESVC.exe" */
   ] by, process.parent.entity_id