English Subforum > ReHIPS

Can execute Sub-Programs: Alert -- what command lines does it monitor?

(1/1)

shmu26:
I am trying to understand "Can execute Sub-Programs: Alert" .
I opened an elevated command prompt and entered the command:
sc delete ProcLoggerSvc
The command was executed.
If cmd.exe called sub-program sc.exe and passed it a command, why was there no alert?

fixer:
What program you have Sub-Programs Alert rule for? cmd or sc?
And just in case make sure you set it for the correct real user, the one you test from.

shmu26:
cmd.exe, like it is in default settings.
So that's the answer, I guess. The way I did it, sc.exe would need to have the Sub-Programs Alert rule. In other words, it is the executed program that counts, not the executor.

fixer:
Yup, that's the answer.
Let's take a closer look: cmd.exe starts sc.exe with parameters. So:
-parent: cmd.exe
-process: sc.exe
Parameters are checked for the process, it's sc.exe. So you don't have any alerts.

Navigation

[0] Message Index

Go to full version