Detectionhightest
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 21Updated Fri Nov 18138d3531-8793-4f50-a2cd-f291b2863d78windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'config'
- 'binPath'
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'cmd '
- 'mshta'
- 'wscript'
- 'cscript'
- 'rundll32'
- 'svchost'
- 'dllhost'
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
138d3531-8793-4f50-a2cd-f291b2863d78
Status
test
Level
high
Type
Detection
Created
Mon Oct 21
Modified
Fri Nov 18
Path
rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1543.003