Techniques
Sample rules
Excessive Usage Of SC Service Utility
- source: splunk
- technicques:
- T1569
- T1569.002
Description
This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation.
Detection logic
`sysmon` EventCode = 1 process_name = "sc.exe"
| bucket _time span=15m
| stats values(process) as process count as numScExe by dest, _time
| eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest
| eval upperThreshold=(avgScExe + stdScExe *3)
| eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0)
| search isOutlier=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_usage_of_sc_service_utility_filter`