using sc.exe to manipulate windows services is uncommon. however, there may be legitimate instances of this behavior. it is important to validate and investigate as appropriate.

t1543
t1543.003
endpoint
splunk

Techniques

T1543
T1543.003

Sample rules

Sc exe Manipulating Windows Services

source: splunk
technicques:
- T1543.003
- T1543

Description

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

Detection logic


| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `sc_exe_manipulating_windows_services_filter`