Can execute Sub-Programs: Alert -- what command lines does it monitor?

Started by shmu26, November 04, 2018, 08:45:17 AM

Previous topic - Next topic

shmu26

I am trying to understand "Can execute Sub-Programs: Alert" .
I opened an elevated command prompt and entered the command:
sc delete ProcLoggerSvc
The command was executed.
If cmd.exe called sub-program sc.exe and passed it a command, why was there no alert?

fixer

What program you have Sub-Programs Alert rule for? cmd or sc?
And just in case make sure you set it for the correct real user, the one you test from.

shmu26

cmd.exe, like it is in default settings.
So that's the answer, I guess. The way I did it, sc.exe would need to have the Sub-Programs Alert rule. In other words, it is the executed program that counts, not the executor.

fixer

Yup, that's the answer.
Let's take a closer look: cmd.exe starts sc.exe with parameters. So:
-parent: cmd.exe
-process: sc.exe
Parameters are checked for the process, it's sc.exe. So you don't have any alerts.