Service Startup Type Change Via Wmic.EXE

Apr 28, 2026 · attack.execution attack.defense-impairment attack.t1047 attack.t1685 ·

Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.

Sigma rule (View on GitHub)

 1title: Service Startup Type Change Via Wmic.EXE
 2id: c0514f28-fdae-42df-b886-06e2b2bc5b37
 3status: experimental
 4description: |
 5        Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
 6references:
 7    - https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
 8author: Swachchhanda Shrawan Poudel (Nextron Systems)
 9date: 2026-04-27
10tags:
11    - attack.execution
12    - attack.defense-impairment
13    - attack.t1047
14    - attack.t1685
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\WMIC.exe'
21        - OriginalFileName: 'wmic.exe'
22    selection_cli:
23        CommandLine|contains|all:
24            - ' service '
25            - 'ChangeStartMode'
26        CommandLine|contains:
27            - 'Manual'
28            - 'Disabled'
29    condition: all of selection_*
30falsepositives:
31    - Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
32level: medium
33regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml

References

https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/

Read More

Service Startup Type Change Via Wmic.EXE

Sigma rule (View on GitHub)

References

https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/

Related rules