Techniques
Sample rules
Sc exe Manipulating Windows Services
- source: splunk
- technicques:
- T1543.003
- T1543
Description
This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `sc_exe_manipulating_windows_services_filter`