Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Sigma rule (View on GitHub)
1title: Interesting Service Enumeration Via Sc.EXE
2id: e83e8899-c9b2-483b-b355-5decc942b959
3status: experimental
4description: |
5 Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
6 Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
7references:
8 - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
9 - https://pentestlab.blog/tag/svchost/
10author: Swachchhanda Shrawan Poudel
11date: 2024/02/12
12tags:
13 - attack.t1003
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\sc.exe'
20 - OriginalFileName: 'sc.exe'
21 selection_cli:
22 CommandLine|contains: 'query'
23 selection_cmd:
24 # Note: add more interesting services
25 CommandLine|contains: 'termservice'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29# Note: can be upgraded to medium after an initial baseline
30level: low
References
-
Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First...
Read More -
Related rules
- Hacktool Execution - Imphash
- Microsoft IIS Connection Strings Decryption
- Microsoft IIS Service Account Password Dumped
- Potential Invoke-Mimikatz PowerShell Script
- Hacktool Execution - PE Metadata