Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Sigma rule (View on GitHub)
1title: Interesting Service Enumeration Via Sc.EXE
2id: e83e8899-c9b2-483b-b355-5decc942b959
3status: test
4description: |
5 Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
6 Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
7references:
8 - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
9 - https://pentestlab.blog/tag/svchost/
10author: Swachchhanda Shrawan Poudel
11date: 2024-02-12
12tags:
13 - attack.t1003
14 - attack.credential-access
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_img:
20 - Image|endswith: '\sc.exe'
21 - OriginalFileName: 'sc.exe'
22 selection_cli:
23 CommandLine|contains: 'query'
24 selection_cmd:
25 # Note: add more interesting services
26 CommandLine|contains: 'termservice'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30# Note: can be upgraded to medium after an initial baseline
31level: low
References
-
Recently I was browsing Twitter and came across a very interesting tweet: Umm- why can I find the password I used to connect to a remote desktop service in cleartext in memory of RDP service? First...
Read More -
Related rules
- Hacktool Execution - Imphash
- Live Memory Dump Using Powershell
- Loaded Module Enumeration Via Tasklist.EXE
- Potentially Suspicious ODBC Driver Registered
- Rare Subscription-level Operations In Azure