Tag
high
advisory
Service Creation via Local Kerberos Authentication Leading to Privilege Escalation
3 rules 1 TTPThe rule detects a local successful logon event with Kerberos authentication from localhost, followed by service creation from the same LogonId, indicating a potential Kerberos relay attack for local privilege escalation to LocalSystem.
kerberos
relay
privilege-escalation
windows
service-creation
3r
1t
low
advisory
Service Control Executed from Script Interpreters
2 rules 8 TTPsDetection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.
Elastic Defend +2
privilege-escalation
defense-evasion
execution
windows
service-creation
2r
8t