excessive execution of sc.exe is quite suspicious since it can modify or execute app in high privilege permission.

t1569
t1569.002
endpoint
splunk

Techniques

T1569
T1569.002

Sample rules

Excessive Usage Of SC Service Utility

source: splunk
technicques:
- T1569
- T1569.002

Description

This search is to detect a suspicious excessive usage of sc.exe in a host machine. This technique was seen in several ransomware , xmrig and other malware to create, modify, delete or disable a service may related to security application or to gain privilege escalation.

Detection logic

`sysmon` EventCode = 1 process_name = "sc.exe" 
|  bucket _time span=15m 
| stats values(process) as process count as numScExe by dest, _time 
|  eventstats avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest 
|  eval upperThreshold=(avgScExe + stdScExe *3) 
|  eval isOutlier=if(avgScExe > 5 and avgScExe >= upperThreshold, 1, 0) 
|  search isOutlier=1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `excessive_usage_of_sc_service_utility_filter`