Sc.exe Manipulating Windows Services

Description

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Privilege Escalation
Defense Evasion

MITRE ATT&CK Techniques

New Service
Modify Existing Service
Disabling Security Tools

Kill Chain Phases

Installation

Data Sources

Endpoint Detection and Response

   Help

Sc.exe Manipulating Windows Services Help

This search looks for the execution of sc.exe with parameters that indicate the utility is being used to create a new Windows service, or modify an existing one. Attackers often create a new service to host their malicious code, or they may take a non-critical service or one that is disabled, and modify it to point to their malware and enable the service if necessary. It is unusual for a service to be created or modified using the sc.exe utility.