IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Remote System Discovery Commands Renamed AutoIt Scripts Interpreter »

› › ›

Remotely Started Services via RPC

edit

Remotely Started Services via RPC

edit

Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators."

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Lateral Movement
Execution

Version: 1

Added (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

sequence with maxspan=1s [network where process.name :
"services.exe" and network.direction == "incoming" and
network.transport == "tcp" and source.port >= 49152 and
destination.port >= 49152 and source.address not in ("127.0.0.1",
"::1") ] by host.id, process.entity_id [process where
event.type in ("start", "process_started") and process.parent.name :
"services.exe" and not (process.name : "svchost.exe" and
process.args : "tiledatamodelsvc") and not (process.name :
"msiexec.exe" and process.args : "/V") /* uncomment if psexec
is noisy in your environment */ /* and not process.name :
"PSEXESVC.exe" */ ] by host.id, process.parent.entity_id

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/

« Remote System Discovery Commands Renamed AutoIt Scripts Interpreter »