template_name: "Service Manipulation Detection"
description: "Detects suspicious Windows service manipulation based on PoC exploit indicators"
applicable_product_patterns:
  - "service"
  - "windows"
  - "microsoft"
  - "sc.exe"
  - "net.exe"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection_sc:
          Image|endswith: '\\sc.exe'
          CommandLine|contains:
  {{COMMANDS}}
      selection_net:
          Image|endswith: '\\net.exe'
          CommandLine|contains:
              - 'start'
              - 'stop'
              - 'pause'
              - 'continue'
      selection_service:
          CommandLine|contains:
  {{PROCESSES}}
      condition: selection_sc or selection_net or selection_service
  falsepositives:
      - Legitimate system administration
      - Software installations
  level: {{LEVEL}}