capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

Add sc.exe command to the create-service.yml rule

Open mr-tz opened this issue 5 years ago • 2 comments

Potentially we could also add the create process and reg add block to the set registry value. Would you mind taking another look?

I think this is a great idea that will lead to cleaner rules which follow the DRY principle. I catched up on this and provided the commit 13a4bf1 which implements your suggestion. We could also think about adding the sc.exe command to the create-service.yml rule in the future.

Originally posted by @0x534a in https://github.com/fireeye/capa-rules/issues/207#issuecomment-750488674

mr-tz avatar Jan 04 '21 08:01 mr-tz

@mr-tz Hi, is this issue still valid? If so, I'd love to take a look at this issue.

franklbh avatar Apr 06 '25 07:04 franklbh

sure, thanks

mr-tz avatar Apr 07 '25 07:04 mr-tz

@mr-tz I made a pr #1124 on this issue. Could you please take a look when you have a chance? Any feedback on the direction is highly appreciated. The issue seemed inactive for a while, so I decided to pick it up.

CosmoWorker avatar Feb 24 '26 20:02 CosmoWorker