The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« Local Scheduled Task Commands Malware - Detected - Elastic Endpoint »

› › ›

Local Service Commands

edit

Local Service Commands

edit

Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

Elastic
Windows

Version: 2 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Rule query

edit

event.action:"Process Create (rule: ProcessCreate)" and
process.name:sc.exe and process.args:(config or create or failure or
start)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/

Rule version history

edit

Version 2 (7.7.0 release)

Updated query, changed from:

event.action:"Process Create (rule: ProcessCreate)" and
process.name:sc.exe and process.args:("create" or "config" or
"failure" or "start")

« Local Scheduled Task Commands Malware - Detected - Elastic Endpoint »