Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Interesting Service Enumeration Via Sc.EXE

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan PoudelCreated Mon Feb 12e83e8899-c9b2-483b-b355-5decc942b959windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains: 'query'
    selection_cmd:
        # Note: add more interesting services
        CommandLine|contains: 'termservice'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
n00py.io
2
Resolving title…
pentestlab.blog
MITRE ATT&CK
Rule Metadata
Rule ID
e83e8899-c9b2-483b-b355-5decc942b959
Status
test
Level
low
Type
Detection
Created
Mon Feb 12
Author
Swachchhanda Shrawan Poudel
Path
rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml
Raw Tags
attack.t1003attack.credential-access
View on GitHub