title: SCM Database Privileged Operation
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/15
description: Detects non-system users performing privileged operation os the SCM database
detection:
  SELECTION_1:
    EventID: 4674
  SELECTION_2:
    ObjectType: SC_MANAGER OBJECT
  SELECTION_3:
    ObjectName: servicesactive
  SELECTION_4:
    PrivilegeList: SeTakeOwnershipPrivilege
  SELECTION_5:
    SubjectLogonId: '0x3e4'
  condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
    (SELECTION_5))
falsepositives:
- Unknown
id: dae8171c-5ec6-4396-b210-8466585b53e9
level: critical
logsource:
  product: windows
  service: security
references:
- https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html
status: experimental
tags:
- attack.privilege_escalation
- attack.t1548
ruletype: SIGMA