FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
bksol92
Staff
Staff
Article Id 413099
Description This article explains what a service access attempt means in the context of a security event
Scope FortiEDR.
Solution

Some applications will try to perform a service access attempt, as seen in the following security event, where a process called joiedevivre.exe has injected its own thread in notepad.exe's address space to perform this action:

 

Thread injection in a notepad processThread injection in a notepad process

 

A service access attempt is usually performed when an application is trying to achieve persistence in Windows Services.

 

Legitimate and non-legitimate applications do so by first opening a connection to the Service Control Manager database, using the OpenSCManager function, which is exported from sechost.dll: OpenSCManagerA function (winsvc.h)

 

In this case, sechost.dll is observed in the call stack of the event:

 

sechost.dll contained in callstack leading up to service access attemptsechost.dll contained in callstack leading up to service access attempt

 

Dumpbin output of sechost.dll for exported functionsDumpbin output of sechost.dll for exported functions

 

Contributors