Techniques
Sample rules
Service StartupType Change Via PowerShell Set-Service
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the use of the PowerShell “Set-Service” cmdlet to change the startup type of a service to “disabled” or “manual”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- Disabled
- Manual
CommandLine|contains|all:
- Set-Service
- -StartupType
selection_img:
- Image|endswith: \powershell.exe
- OriginalFileName: PowerShell.EXE
Service StartupType Change Via Sc.EXE
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detect the use of “sc.exe” to change the startup type of a service to “disabled” or “demand”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- disabled
- demand
CommandLine|contains|all:
- ' config '
- start
selection_img:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe