Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

SCM Database Privileged Operation

Detects non-system users performing privileged operation os the SCM database

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), Tim SheltonCreated Thu Aug 15Updated Sun Sep 18dae8171c-5ec6-4396-b210-8466585b53e9windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4674
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'servicesactive'
        PrivilegeList: 'SeTakeOwnershipPrivilege'
    filter:
        SubjectLogonId: '0x3e4'
        ProcessName|endswith: ':\Windows\System32\services.exe'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
threathunterplaybook.com
MITRE ATT&CK
Rule Metadata
Rule ID
dae8171c-5ec6-4396-b210-8466585b53e9
Status
test
Level
medium
Type
Detection
Created
Thu Aug 15
Modified
Sun Sep 18
Author
Roberto Rodriguez (Cyb3rWard0g), Tim Shelton
Path
rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1548
View on GitHub