hayabusa/rules/deep_blue_cli/security/4674.yml

title: An Operation was attempted on a privileged object
description: hogehoge
author: Yea
detection:
    selection:
        Channel: Security
        EventID: 4674
        ProcessName|re: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
        AccessMask: '%%1539'
    # condition: selection
falsepositives:
    - unknown
output: |
    Possible Hidden Service Attempt
    User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
    User: %SubjectUserName%
    Target service:%ObjectName
    Desired Access:WRITE_DAC
creation_date: 2020/11/8
updated_date: 2020/11/8