Vendor
medium
advisory
Detecting Remote Windows Service Installation for Lateral Movement
2 rules 3 TTPsThis rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.
Windows +4
lateral-movement
persistence
2r
3t
medium
advisory
Remote Execution of Windows Services via RPC
2 rules 2 TTPsDetection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.
SCCM
lateral-movement
execution
windows
2r
2t