Author Topic: Can execute Sub-Programs: Alert -- what command lines does it monitor?  (Read 299 times)

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 436
  • Win10 x64 latest stable
I am trying to understand "Can execute Sub-Programs: Alert" .
I opened an elevated command prompt and entered the command:
sc delete ProcLoggerSvc
The command was executed.
If cmd.exe called sub-program sc.exe and passed it a command, why was there no alert?

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1392
Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?
« Reply #1 on: November 04, 2018, 01:25:32 pm »
What program you have Sub-Programs Alert rule for? cmd or sc?
And just in case make sure you set it for the correct real user, the one you test from.

shmu26

  • Active Testers
  • Sr. Member
  • *****
  • Posts: 436
  • Win10 x64 latest stable
Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?
« Reply #2 on: November 04, 2018, 01:46:09 pm »
cmd.exe, like it is in default settings.
So that's the answer, I guess. The way I did it, sc.exe would need to have the Sub-Programs Alert rule. In other words, it is the executed program that counts, not the executor.

fixer

  • Administrator
  • Hero Member
  • *****
  • Posts: 1392
Re: Can execute Sub-Programs: Alert -- what command lines does it monitor?
« Reply #3 on: November 04, 2018, 06:35:38 pm »
Yup, that's the answer.
Let's take a closer look: cmd.exe starts sc.exe with parameters. So:
-parent: cmd.exe
-process: sc.exe
Parameters are checked for the process, it's sc.exe. So you don't have any alerts.