Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Sigma rule (View on GitHub)
1title: Interesting Service Enumeration Via Sc.EXE
2id: e83e8899-c9b2-483b-b355-5decc942b959
3status: experimental
4description: |
5 Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
6 Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
7references:
8 - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
9 - https://pentestlab.blog/tag/svchost/
10author: Swachchhanda Shrawan Poudel
11date: 2024-02-12
12tags:
13 - attack.t1003
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\sc.exe'
20 - OriginalFileName: 'sc.exe'
21 selection_cli:
22 CommandLine|contains: 'query'
23 selection_cmd:
24 # Note: add more interesting services
25 CommandLine|contains: 'termservice'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29# Note: can be upgraded to medium after an initial baseline
30level: low
References
-
Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First...
Read More -
Related rules
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe
- Credential Manager Access By Uncommon Applications
- Esentutl Gather Credentials
- HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump