Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Sigma rule (View on GitHub)
1title: Interesting Service Enumeration Via Sc.EXE
2id: e83e8899-c9b2-483b-b355-5decc942b959
3status: experimental
4description: |
5 Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
6 Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
7references:
8 - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
9 - https://pentestlab.blog/tag/svchost/
10author: Swachchhanda Shrawan Poudel
11date: 2024/02/12
12tags:
13 - attack.t1003
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\sc.exe'
20 - OriginalFileName: 'sc.exe'
21 selection_cli:
22 CommandLine|contains: 'query'
23 selection_cmd:
24 # Note: add more interesting services
25 CommandLine|contains: 'termservice'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29# Note: can be upgraded to medium after an initial baseline
30level: low
References
Related rules
- Hacktool Execution - Imphash
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Potential Invoke-Mimikatz PowerShell Script
- Hacktool Execution - PE Metadata