frack113
020fc8061f
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
27 lines
973 B
YAML
27 lines
973 B
YAML
title: SC.EXE Query Execution
|
|
id: 57712d7a-679c-4a41-a913-87e7175ae429
|
|
status: test
|
|
description: Detects execution of "sc.exe" to query information about registered services on the system
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
|
|
author: frack113
|
|
date: 2021/12/06
|
|
modified: 2022/11/10
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1007
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
Image|endswith: '\sc.exe'
|
|
OriginalFileName|endswith: 'sc.exe'
|
|
selection_cli:
|
|
CommandLine|contains: ' query'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Legitimate query of a service by an administrator to get more information such as the state or PID
|
|
- Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"
|
|
level: low
|