Remotely Started Services via RPC

edit

Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators."

Rule type: eql

Rule indices:

  • logs-endpoint.events.*
  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Lateral Movement
  • Execution

Version: 1

Added (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit
sequence with maxspan=1s [network where process.name :
"services.exe" and network.direction == "incoming" and
network.transport == "tcp" and source.port >= 49152 and
destination.port >= 49152 and source.address not in ("127.0.0.1",
"::1") ] by host.id, process.entity_id [process where
event.type in ("start", "process_started") and process.parent.name :
"services.exe" and not (process.name : "svchost.exe" and
process.args : "tiledatamodelsvc") and not (process.name :
"msiexec.exe" and process.args : "/V") /* uncomment if psexec
is noisy in your environment */ /* and not process.name :
"PSEXESVC.exe" */ ] by host.id, process.parent.entity_id

Threat mapping

edit

Framework: MITRE ATT&CKTM