Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

SC.EXE Query Execution

Detects execution of "sc.exe" to query information about registered services on the system

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Mon Dec 06Updated Thu Feb 0857712d7a-679c-4a41-a913-87e7175ae429windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        Image|endswith: '\sc.exe'
        OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains: ' query'
    filter_optional_keybase:
        CommandLine: 'sc query dokan1'
    condition: all of selection_* and not 1 of filter_optional_*
False Positives

Legitimate query of a service by an administrator to get more information such as the state or PID

Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"

References
1
Resolving title…
github.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
57712d7a-679c-4a41-a913-87e7175ae429
Status
test
Level
low
Type
Threat Hunt
Created
Mon Dec 06
Modified
Thu Feb 08
Author
François Hubaut
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml
Raw Tags
attack.discoveryattack.t1007detection.threat-hunting
View on GitHub