LoFP / legitimate administrative changes to service startup types using wmic, investigate accordingly.

Techniques

Sample rules

Service Startup Type Change Via Wmic.EXE

source: sigma
technicques:
- t1047
- t1685

Description

Detects changes to service startup type to ‘disabled’ or ‘manual’ using the WMIC command-line utility.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - Manual
  - Disabled
  CommandLine|contains|all:
  - ' service '
  - ChangeStartMode
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe