This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Sensitive Privilege SeEnableDelegationPrivilege assigned to a User Service Control Spawned via Script Interpreter »

› › ›

Service Command Lateral Movement

edit

Service Command Lateral Movement

edit

Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*
logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Lateral Movement

Version: 101 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

sequence by process.entity_id with maxspan = 1m [process where
event.type == "start" and (process.name : "sc.exe" or
process.pe.original_file_name : "sc.exe") and process.args :
"\\\\*" and process.args : ("binPath=*", "binpath=*") and
process.args : ("create", "config", "failure", "start")] [network
where process.name : "sc.exe" and destination.ip != "127.0.0.1"]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: System Services
- ID: T1569
- Reference URL: https://attack.mitre.org/techniques/T1569/

Rule version history

edit

Version 101 (8.5.0 release)

Updated query, changed from:

sequence by process.entity_id with maxspan = 1m [process where
event.type in ("start", "process_started") and (process.name :
"sc.exe" or process.pe.original_file_name : "sc.exe") and
process.args : "\\\\*" and process.args : ("binPath=*", "binpath=*")
and process.args : ("create", "config", "failure", "start")]
[network where process.name : "sc.exe" and destination.ip !=
"127.0.0.1"]

Version 4 (8.4.0 release)

Formatting only

Version 3 (7.12.0 release)

Updated query, changed from:

sequence by process.entity_id with maxspan=1m [process where
event.type in ("start", "process_started") and
/* uncomment once in winlogbeat */ (process.name == "sc.exe" /*
or process.pe.original_file_name == "sc.exe" */ ) and
/* case insensitive */ wildcard(process.args, "\\\\*") and
wildcard(process.args, "binPath=*", "binpath=*") and
(process.args : "create" or process.args : "config" or
process.args : "failure" or process.args : "start")] [network
where process.name : "sc.exe" and destination.ip != "127.0.0.1"]

Version 2 (7.11.0 release)

Formatting only

« Sensitive Privilege SeEnableDelegationPrivilege assigned to a User Service Control Spawned via Script Interpreter »