Navigation :

Sc Exe Manipulating Windows Services

Description

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring

Alert Volume

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence

Privilege Escalation

MITRE ATT&CK Techniques

Create or Modify System Process

Windows Service

MITRE Threat Groups

APT19

APT3

APT32

APT41

Blue Mockingbird

Carbanak

Cobalt Group

DarkVishnya

FIN7

Honeybee

Ke3chang

Kimsuky

Lazarus Group

PROMETHIUM

Threat Group-3390

Tropic Trooper

Wizard Spider

Data Sources

Endpoint Detection and Response

Search
\| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create " OR Processes.process=" config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user \| `drop_dm_object_name(Processes)` \| `security_content_ctime(firstTime)` \| `security_content_ctime(lastTime)` \| `sc_exe_manipulating_windows_services_filter` Open in Search

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`

Open in Search