Nasreddine Bencherchali
38 lines
1.2 KiB
YAML
38 lines
1.2 KiB
YAML
title: Sc Or Set-Service Cmdlet Execution to Disable Services
|
|
id: 85c312b7-f44d-4a51-a024-d671c40b49fc
|
|
status: experimental
|
|
description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled"
|
|
author: Nasreddine Bencherchali
|
|
references:
|
|
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
|
|
date: 2022/08/01
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_sc_img:
|
|
- Image|endswith: '\sc.exe'
|
|
- OriginalFileName: 'sc.exe'
|
|
selection_sc_cli:
|
|
CommandLine|contains|all:
|
|
- ' config '
|
|
- 'start'
|
|
CommandLine|contains:
|
|
- 'disabled'
|
|
- 'demand'
|
|
selection_pwsh:
|
|
CommandLine|contains|all:
|
|
- 'Set-Service'
|
|
- '-StartupType'
|
|
CommandLine|contains:
|
|
- 'Disabled'
|
|
- 'Manual'
|
|
condition: all of selection_sc_* or selection_pwsh
|
|
falsepositives:
|
|
- Administrators settings a service to disable via script or cli for testing purposes
|
|
level: medium
|
|
tags:
|
|
- attack.execution
|
|
- attack.defense_evasion
|
|
- attack.t1562.001
|