SCM Database Handle Failure

 1title: SCM Database Handle Failure
 2id: 13addce7-47b2-4ca0-a98f-1de964d1d669
 3status: test
 4description: Detects non-system users failing to get a handle of the SCM database.
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g
 8date: 2019-08-12
 9modified: 2022-07-11
10tags:
11    - attack.discovery
12    - attack.t1010
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4656
19        ObjectType: 'SC_MANAGER OBJECT'
20        ObjectName: 'ServicesActive'
21        AccessMask: '0xf003f'  # is used in the reference; otherwise too many FPs
22        # Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
23    filter:
24        SubjectLogonId: '0x3e4'
25    condition: selection and not filter
26falsepositives:
27    - Unknown
28# triggering on many hosts in some environments
29level: medium

References

• Remote Service Control Manager Handle — Threat Hunter Playbook

  Analytics A few initial ideas to explore your data and validate your detection logic: Analytic I Detects non-system users failing to get a handle of the SCM database. Data source Event Provider Rel...

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
• AD Privileged Users or Groups Reconnaissance