Detection rules › Splunk
Excessive Usage Of SC Service Utility
The following analytic detects excessive usage of the sc.exe service utility on a host machine. It leverages Sysmon EventCode 1 logs to identify instances where sc.exe is executed more frequently than normal within a 15-minute window. This behavior is significant as it is commonly associated with ransomware, cryptocurrency miners, and other malware attempting to create, modify, delete, or disable services, potentially related to security applications or for privilege escalation. If confirmed malicious, this activity could allow attackers to manipulate critical services, leading to system compromise or disruption of security defenses.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: tstats
tstats WHERE Processes.process_name="sc.exe" BY _time, Processes.dest
Stage 2: search
search
Stage 3: eventstats
eventstats avg(numScExe) AS avgScExe, avg(numScExe) AS numSlots BY dest
Stage 4: eval
eval ... using (avgScExe, stdScExe)
Stage 5: eval
eval ... using (avgScExe, upperThreshold)
Stage 6: search
search isOutlier=1
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Processes.process_name | eq |
|
isOutlier | eq |
|