Elastic Security Detection Rules

System Service Discovery through built-in Windows Utilities

Last updated 8 days ago on 2025-12-17
Created 3 years ago on 2023-01-24

About

Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: DiscoveryData Source: Elastic DefendData Source: Elastic EndgameRule Type: BBRData Source: Windows Security Event LogsLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

System Service Discovery (T1007)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-endpoint.events.process-*logs-system.security*logs-windows.*winlogbeat-*
Related Integrations

windows(external, opens in a new tab or window)

endpoint(external, opens in a new tab or window)

system(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "windows" and event.type == "start" and process.parent.executable != null and
  (
  ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and 
    not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2 and
    not process.parent.args : ("*.bat", "*netlogon*", "\\\\*")) or
  ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*") and not process.parent.args : "*.bat") or
  ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc" and not process.command_line : "*\\Windows\\TEMP\\nessus_task_list*") or
  (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe")
  ) and
  not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
  not process.parent.executable in
                       ("C:\\Program Files\\AzureConnectedMachineAgent\\himds.exe",
                        "C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe",
                        "C:\\Program Files\\Varian\\DICOMServices\\VMS.DICOMServices.ServiceFW.GenericControlledServiceHost.exe",
                        "C:\\Senior\\HCM\\jdk-11.0.2\\bin\\java.exe",
                        "D:\\biomerieux\\programs\\ServiceMonitor\\bin\\MylaServiceMonitor.exe",
                        "C:\\ViewPowerPro\\openJDK\\bin\\javaw.exe",
                        "C:\\ServiceNow MID Server mid-server-autosports-prod\\agent\\jre\\bin\\java.exe") and
  not process.command_line in ("sc  queryex SCardSvr",
                               "sc  query \"Axway_Integrator\" ",
                               "sc  query \"Delta enteliVAULT PostgreSQL\" ",
                               "sc  query \"WERMA-WIN-Connector\" ",
                               "sc  query _EWSSynchronizationServer_JDE ",
                               "sc query SchneiderUPSMySQL")

Install detection rules in Elastic Security

Detect System Service Discovery through built-in Windows Utilities in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).