Text only | Text with Images

ReHIPS forum

English Subforum => ReHIPS => Topic started by: shmu26 on November 04, 2018, 08:45:17 AM

Title: Can execute Sub-Programs: Alert -- what command lines does it monitor?
Post by: shmu26 on November 04, 2018, 08:45:17 AM
I am trying to understand "Can execute Sub-Programs: Alert" .
I opened an elevated command prompt and entered the command:
sc delete ProcLoggerSvc
The command was executed.
If cmd.exe called sub-program sc.exe and passed it a command, why was there no alert?
Title: Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?
Post by: fixer on November 04, 2018, 01:25:32 PM
What program you have Sub-Programs Alert rule for? cmd or sc?
And just in case make sure you set it for the correct real user, the one you test from.
Title: Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?
Post by: shmu26 on November 04, 2018, 01:46:09 PM
cmd.exe, like it is in default settings.
So that's the answer, I guess. The way I did it, sc.exe would need to have the Sub-Programs Alert rule. In other words, it is the executed program that counts, not the executor.
Title: Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?
Post by: fixer on November 04, 2018, 06:35:38 PM
Yup, that's the answer.
Let's take a closer look: cmd.exe starts sc.exe with parameters. So:
-parent: cmd.exe
-process: sc.exe
Parameters are checked for the process, it's sc.exe. So you don't have any alerts.
Text only | Text with Images