Service Path Modification via sc.exe
Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.
Rule type: eql
Rule indices:
- endgame-*
- logs-endpoint.events.process-*
- logs-system.security*
- logs-windows.sysmon_operational-*
- winlogbeat-*
Rule Severity: low
Risk Score: 21
Runs every: 60m
Searches indices from: now-119m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
- Rule Type: BBR
- Data Source: Sysmon
- Data Source: Windows Security Event Logs
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
process where event.type == "start" and process.name : "sc.exe" and
process.args : "*config*" and process.args : "*binPath*"
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Modify Registry
- Id: T1112
- Reference URL: https://attack.mitre.org/techniques/T1112/
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create or Modify System Process
- Id: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Sub Technique:
- Name: Windows Service
- Id: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/
Framework: MITRE ATT&CK
Tactic:
- Name: Privilege Escalation
- Id: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Create or Modify System Process
- Id: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Sub Technique:
- Name: Windows Service
- Id: T1543.003
- Reference URL: https://attack.mitre.org/techniques/T1543/003/