forked from mitre-attack/car
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathservice.yaml
58 lines (58 loc) · 2.34 KB
/
service.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
name: Service
description: Services, or a service application, can be started automatically at system boot, by a user through the services control panel applet, or by an application that uses service functions. Services can execute even when no user is logged into the system.
actions:
- name: create
description: The event corresponding to the act of creating a new service.
- name: delete
description: The event corresponding to the act of deleting a service.
- name: pause
description: The event corresponding to the act of pausing a currently running service.
- name: start
description: The event corresponding to the act of starting a new service.
- name: stop
description: The event corresponding to the act of stopping a service that is currently running.
fields:
- name: fqdn
description: The fully qualified domain name of the host. Contains the hostname appended with the domain.
example: HOST1.EXAMPLE_DOMAIN.COM
- name: hostname
description: The hostname of the host, without the domain.
example: HOST1
- name: user
description: The user token that service was created with.
example: HOST1\LOCALUSER
- name: command_line
description: The command line that service is started with.
example: C:\windows\system32\svchost.exe -k rpcss
- name: exe
description: The executable for the service.
example: svchost.exe
- name: image_path
description: Where in the file system the service executable is located.
example: C:\path\to\example.exe
- name: name
description: The name of the service.
example: RpcSs
- name: pid
description: The process ID for the process of the service, represented in decimal notation.
example: 718
- name: ppid
description: The process ID of the process’s parent or the service, represented in decimal notation. In the parent process, this will be the pid field.
example: 1860
- name: uid
description: The ID of SID of the user who acted on the service
example: S-1-5-18
coverage_map:
create:
command_line: ["autoruns_13.98"]
exe: ["autoruns_13.98"]
fqdn: ["autoruns_13.98"]
hostname: ["autoruns_13.98"]
image_path: ["autoruns_13.98"]
delete:
command_line: ["autoruns_13.98"]
exe: ["autoruns_13.98"]
fqdn: ["autoruns_13.98"]
hostname: ["autoruns_13.98"]
image_path: ["autoruns_13.98"]