Service StartupType Change Via Sc.EXE
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
Sigma rule (View on GitHub)
1title: Service StartupType Change Via Sc.EXE
2id: 85c312b7-f44d-4a51-a024-d671c40b49fc
3status: test
4description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
5references:
6 - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-01
9modified: 2023-03-04
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\sc.exe'
20 - OriginalFileName: 'sc.exe'
21 selection_cli:
22 CommandLine|contains|all:
23 - ' config '
24 - 'start'
25 CommandLine|contains:
26 - 'disabled'
27 - 'demand'
28 condition: all of selection_*
29falsepositives:
30 - False positives may occur with troubleshooting scripts
31level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- HackTool - CobaltStrike BOF Injection Pattern
- HackTool - Stracciatella Execution
- Service StartupType Change Via PowerShell Set-Service
- APT29 2018 Phishing Campaign CommandLine Indicators