Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Sigma rule (View on GitHub)
1title: Interesting Service Enumeration Via Sc.EXE
2id: e83e8899-c9b2-483b-b355-5decc942b959
3status: test
4description: |
5 Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
6 Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
7references:
8 - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
9 - https://pentestlab.blog/tag/svchost/
10author: Swachchhanda Shrawan Poudel
11date: 2024-02-12
12tags:
13 - attack.t1003
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\sc.exe'
20 - OriginalFileName: 'sc.exe'
21 selection_cli:
22 CommandLine|contains: 'query'
23 selection_cmd:
24 # Note: add more interesting services
25 CommandLine|contains: 'termservice'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29# Note: can be upgraded to medium after an initial baseline
30level: low
References
Related rules
- Suspicious SYSTEM User Process Creation
- Hacktool Execution - Imphash
- Antivirus Password Dumper Detection
- Access To Crypto Currency Wallets By Uncommon Applications
- Capture Credentials with Rpcping.exe