Execution of an Unsigned Service
editExecution of an Unsigned Service
editThis rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.
Rule type: new_terms
Rule indices:
- logs-endpoint.events.process-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Execution
- Tactic: Defense Evasion
- Rule Type: BBR
- Data Source: Elastic Defend
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edithost.os.type:windows and event.category:process and event.type:start and process.parent.executable:"C:\\Windows\\System32\\services.exe" and (process.code_signature.exists:false or process.code_signature.trusted:false) and not process.code_signature.status : (errorCode_endpoint* or "errorChaining")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: System Services
- ID: T1569
- Reference URL: https://attack.mitre.org/techniques/T1569/
-
Sub-technique:
- Name: Service Execution
- ID: T1569.002
- Reference URL: https://attack.mitre.org/techniques/T1569/002/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
-
Sub-technique:
- Name: Invalid Code Signature
- ID: T1036.001
- Reference URL: https://attack.mitre.org/techniques/T1036/001/