template_name: "Service Manipulation Detection" description: "Detects suspicious Windows service manipulation based on PoC exploit indicators" applicable_product_patterns: - "service" - "windows" - "microsoft" - "sc.exe" - "net.exe" template_content: | title: {{TITLE}} id: {{RULE_ID}} status: experimental description: {{DESCRIPTION}} author: CVE-SIGMA Auto Generator date: {{DATE}} references: {{REFERENCES}} tags: {{TAGS}} logsource: category: process_creation product: windows detection: selection_sc: Image|endswith: '\\sc.exe' CommandLine|contains: {{COMMANDS}} selection_net: Image|endswith: '\\net.exe' CommandLine|contains: - 'start' - 'stop' - 'pause' - 'continue' selection_service: CommandLine|contains: {{PROCESSES}} condition: selection_sc or selection_net or selection_service falsepositives: - Legitimate system administration - Software installations level: {{LEVEL}}