proc_creation_win_net_start_service.yml

title: Start Windows Service Via Net.EXE
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: test
description: Detects the usage of the "net.exe" command to start a service using the "start" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2023/03/05
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: ' start '     # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
    condition: all of selection_*
falsepositives:
    - Legitimate administrator or user executes a service for legitimate reasons.
level: low