Detectionmediumtest

Remote Service Activity via SVCCTL Named Pipe

Detects remote service activity via remote access to the svcctl named pipe

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Samir BousseadenCreated Wed Apr 03Updated Thu Aug 01586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure

Detection Logic

detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: svcctl
        AccessList|contains: 'WriteData'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement TA0003 · Persistence

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Rule Metadata

Rule ID

586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3

Status

test

Level

medium

Type

Detection

Created

Wed Apr 03

Modified

Thu Aug 01

Author

Samir Bousseaden

Path

rules/windows/builtin/security/win_security_svcctl_remote_service.yml

Raw Tags

attack.lateral-movementattack.persistenceattack.t1021.002

View on GitHub