Execution of Existing Service via Command¶
Identifies attempts to execute an existing service by running a built-in Windows command.
id: | 45861478-8ba3-4302-9600-1970d5d8b074 |
---|---|
categories: | enrich |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
Query¶
process where subtype.create and (
process_name == "sc.exe" and command_line == "* start *" or
process_name == "net.exe" and match(command_line, ?".*? start *[\s].*") or
process_name == "powershell.exe" and wildcard(command_line, "*Start-Service*") or
process_name == "wmic.exe" and wildcard(command_line, "*service*call*startservice*")
)