LoFP / legitimate programs and administrators will execute sc.exe with the start disabled flag. it is possible, but unlikely from the telemetry of normal windows operation we observed, that sc.exe will be called more than seven times in a short period of time.

Techniques

• T1562.001

Sample rules

Excessive number of service control start as disabled

• source: splunk
• technicques:
  • T1562.001

Description

The following analytic detects an excessive number of sc.exe processes launched with the command line argument start= disabled within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system.

Detection logic

| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "sc.exe" AND Processes.process="*start= disabled*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m 
| where distinct_cmdlines >= 8 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `excessive_number_of_service_control_start_as_disabled_filter`