Navigation :

Sc.exe Manipulating Windows Services

Description

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence

Privilege Escalation

Defense Evasion

MITRE ATT&CK Techniques

New Service

Modify Existing Service

Disabling Security Tools

Kill Chain Phases

Installation

Data Sources

Endpoint Detection and Response

Help
Sc.exe Manipulating Windows Services Help This search looks for the execution of sc.exe with parameters that indicate the utility is being used to create a new Windows service, or modify an existing one. Attackers often create a new service to host their malicious code, or they may take a non-critical service or one that is disabled, and modify it to point to their malware and enable the service if necessary. It is unusual for a service to be created or modified using the sc.exe utility.

Help

Sc.exe Manipulating Windows Services Help

This search looks for the execution of sc.exe with parameters that indicate the utility is being used to create a new Windows service, or modify an existing one. Attackers often create a new service to host their malicious code, or they may take a non-critical service or one that is disabled, and modify it to point to their malware and enable the service if necessary. It is unusual for a service to be created or modified using the sc.exe utility.