Skip to content

Instantly share code, notes, and snippets.

@scudette

scudette/service_manager_rpc.vql

Last active February 3, 2021 13:50
Show Gist options
  • Save scudette/17a882d99b0fe6368d4c314501633d54 to your computer and use it in GitHub Desktop.
Save scudette/17a882d99b0fe6368d4c314501633d54 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
service_manager_rpc.vql
-- Details are found here https://posts.specterops.io/utilizing-rpc-telemetry-7af9ea08a1d5
-- This comes from svcctl.idl
LET MethodLookup <= dict(
`0x0`="CloseServiceHandle",
`0x2`="DeleteService",
`0x6`="QueryServiceStatus",
`0x7`="SetServiceStatus",
`0xC`="CreateServiceW",
-- `0x37`="0x37",
`0x10`="OpenServiceW",
`0x11`="QueryServiceConfigW",
`0x28`="QueryServiceStatusEx",
`0x2A`="EnumServicesStatusExW",
`0x2E`="ScQueryServiceTagInfo"
-- `0x40`="0x40"
)
SELECT System.TimeStamp AS Timestamp,
get(item=MethodLookup, member=EventData.ProcNum) AS Procedure,
EventData.NetworkAddress AS NetworkAddress,
EventData.Endpoint AS Endpoint,
EventData AS _EventData
FROM watch_etw(guid='{6AD52B32-D609-4BE9-AE07-CE8DAE937E39}'
-- Microsoft-Windows-RPC
)
WHERE System.ID = 6
AND EventData
AND EventData.InterfaceUuid = "{367abb81-9844-35f1-ad32-98f038001003}"
AND Procedure
@scudette
Copy link
Author

scudette commented Feb 3, 2021

Sample output for the following commands (run locally this is why network address is NULL).

C:\Users\test\Downloads>sc.exe delete owned
[SC] DeleteService SUCCESS

C:\Users\test\Downloads>sc.exe create owned binpath="C:\Windows\notepad.exe"
[SC] CreateService SUCCESS

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment