title: Sc Or Set-Service Cmdlet Execution to Disable Services
id: 85c312b7-f44d-4a51-a024-d671c40b49fc
status: experimental
description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled"
author: Nasreddine Bencherchali
references:
    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
date: 2022/08/01
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_sc_cli:
        CommandLine|contains|all:
            - ' config '
            - 'start'
        CommandLine|contains:
            - 'disabled'
            - 'demand'
    selection_pwsh:
        CommandLine|contains|all:
            - 'Set-Service'
            - '-StartupType'
        CommandLine|contains:
            - 'Disabled'
            - 'Manual'
    condition: all of selection_sc_* or selection_pwsh
falsepositives:
    - Administrators settings a service to disable via script or cli for testing purposes
level: medium
tags:
    - attack.execution
    - attack.defense_evasion
    - attack.t1562.001