Stop Windows Service Via Sc.EXE

calendar Jan 29, 2024 · attack.impact attack.t1489  ·
Share on: linkedin copy

Detects the stopping of a Windows service via the "sc.exe" utility

Sigma rule (View on GitHub)

 1title: Stop Windows Service Via Sc.EXE
 2id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
 3related:
 4    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
 5      type: obsoletes
 6status: test
 7description: Detects the stopping of a Windows service via the "sc.exe" utility
 8references:
 9    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
10author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
11date: 2023/03/05
12modified: 2024/01/18
13tags:
14    - attack.impact
15    - attack.t1489
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - OriginalFileName: 'sc.exe'
22        - Image|endswith: '\sc.exe'
23    selection_cli:
24        CommandLine|contains: ' stop '
25    condition: all of selection_*
26falsepositives:
27    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
28level: low

References

  • Sc stop

    Sc stop Article 08/31/2016 Applies To: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2003 with SP2, Windows Server 2003 R2, Windows Server 2008 R2, Windows Serv...


    Read More

Related rules

to-top