Hunting For Process Command Line Artifacts Of Service Creation
Query
DeviceProcessEvents
| where ActionType has "ProcessCreated" and FileName has "sc.exe" and ProcessCommandLine contains "creat"About this query
Hunting for process command line artifacts of service creation
Threat actors might use command line utilities to create a services.
Explanation
This query is designed to identify instances where a command line utility, specifically "sc.exe," is used to create a service on a device. Here's a breakdown of what the query does:
-
DeviceProcessEvents: This is the data source being queried, which contains events related to processes on devices.
-
where ActionType has "ProcessCreated": This filters the events to only include those where a new process has been created.
-
and FileName has "sc.exe": This further narrows down the results to processes where the executable file is "sc.exe." This is a command line utility used for managing Windows services.
-
and ProcessCommandLine contains "creat": This checks if the command line used to start the process includes the word "creat," which is likely a part of the command "create" used in service creation.
In summary, the query is looking for instances where the "sc.exe" utility is used to create a service, which could be indicative of a threat actor attempting to establish persistence or perform other malicious activities on a system.
Details

Sergio Albea
Released: December 13, 2024
Tables
Keywords
Operators