valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4789b15fd5
SigmaHQ/rules/windows/process_creation/win_service_execution.yml

26 lines
878 B
YAML
Raw Normal View History

Unified line terminators of rules to Unix
2019-11-12 22:05:36 +00:00
title: Service Execution
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
Unified line terminators of rules to Unix
2019-11-12 22:05:36 +00:00
status: experimental
description: Detects manual service execution (start) via system utilities
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|re: '.*start.*[a-zA-Z0-9]' # search for a service name after 'net start', avoiding intersection with "service discovery" technique detection rules
condition: selection
falsepositives:
- Legitimate administrator or user executes a service for legitimate reason
level: low
tags:
- attack.execution
- attack.t1035
Reference in New Issue Copy Permalink