Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

SCM Database Handle Failure

Detects non-system users failing to get a handle of the SCM database.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g)Created Mon Aug 12Updated Mon Jul 1113addce7-47b2-4ca0-a98f-1de964d1d669windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4656
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'ServicesActive'
        AccessMask: '0xf003f'  # is used in the reference; otherwise too many FPs
        # Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
    filter:
        SubjectLogonId: '0x3e4'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
threathunterplaybook.com
MITRE ATT&CK
Rule Metadata
Rule ID
13addce7-47b2-4ca0-a98f-1de964d1d669
Status
test
Level
medium
Type
Detection
Created
Mon Aug 12
Modified
Mon Jul 11
Author
Roberto Rodriguez (Cyb3rWard0g)
Path
rules/windows/builtin/security/win_security_scm_database_handle_failure.yml
Raw Tags
attack.discoveryattack.t1010
View on GitHub