Stop Windows Service Via Sc.EXE

calendarMar 7, 2023 · attack.impact attack.t1489  ·
Share on: linkedincopy

Detects the stopping of a Windows service

Sigma rule (View on GitHub)

 1title: Stop Windows Service Via Sc.EXE
 2id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
 3related:
 4    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
 5      type: obsoletes
 6status: experimental
 7description: Detects the stopping of a Windows service
 8author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/03/05
10tags:
11    - attack.impact
12    - attack.t1489
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - OriginalFileName: 'sc.exe'
19        - Image|endswith: '\sc.exe'
20    selection_cli:
21        CommandLine|contains: ' stop '
22    filter_kaspersky:
23        CommandLine:
24             - 'sc  stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop
25             - 'sc  stop LGHUBUpdaterService' # Logitech LGHUB Updater Service
26        User|contains: # covers many language settings
27            - 'AUTHORI'
28            - 'AUTORI'
29    condition: all of selection_* and not 1 of filter_*
30falsepositives:
31    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
32level: low

Related rules

to-top