21 lines
680 B
YAML
21 lines
680 B
YAML
title: An Operation was attempted on a privileged object
|
|
description: hogehoge
|
|
author: DeepblueCLI, Zach Mathis
|
|
detection:
|
|
selection:
|
|
Channel: Security
|
|
EventID: 4674
|
|
ProcessName|re: '(?i)C:\WINDOWS\SYSTEM32\SERVICE.EXE' # (?i) means case insesitive for Rust Regex
|
|
AccessMask: '%%1539'
|
|
# condition: selection
|
|
falsepositives:
|
|
- unknown
|
|
output: |
|
|
Possible Hidden Service Attempt
|
|
User requested to modify the Dynamic Access Control (DAC) permissions of a service, possibly to hide it from view.
|
|
User: %SubjectUserName%
|
|
Target service:%ObjectName
|
|
Desired Access:WRITE_DAC
|
|
creation_date: 2020/11/8
|
|
updated_date: 2020/11/8
|