Query Details
Hunting For Process Command Line Artifacts Of Service Creation
Query
**Hunting for process command line artifacts of service creation** Threat actors might use command line utilities to create a services. ``` DeviceProcessEvents | where ActionType has "ProcessCreated" and FileName has "sc.exe" and ProcessCommandLine contains "creat" ```
Explanation
This query is designed to identify instances where a command line utility, specifically "sc.exe," is used to create a service on a device. Here's a breakdown of what the query does:
-
DeviceProcessEvents: This is the data source being queried, which contains events related to processes on devices.
-
where ActionType has "ProcessCreated": This filters the events to only include those where a new process has been created.
-
and FileName has "sc.exe": This further narrows down the results to processes where the executable file is "sc.exe." This is a command line utility used for managing Windows services.
-
and ProcessCommandLine contains "creat": This checks if the command line used to start the process includes the word "creat," which is likely a part of the command "create" used in service creation.
In summary, the query is looking for instances where the "sc.exe" utility is used to create a service, which could be indicative of a threat actor attempting to establish persistence or perform other malicious activities on a system.
Details
Sergio Albea
Released: December 13, 2024
Tables
Keywords
Operators