Techniques
Sample rules
Windows Service Creation on Remote Endpoint
- source: splunk
- technicques:
- T1543
- T1543.003
Description
This analytic looks for the execution of sc.exe
with command-line arguments utilized to create a Windows Service on a remote endpoint. Red Teams and adversaries alike may abuse the Service Control Manager for lateral movement and remote code execution.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*create* AND Processes.process=*binpath*) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_service_creation_on_remote_endpoint_filter`