Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

New Service Creation Using Sc.EXE

Detects the creation of a new service using the "sc.exe" utility.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.communityCreated Mon Feb 20Updated Mon Sep 0185ff530b-261d-48c6-a441-facaa2e81e48windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\sc.exe'
        CommandLine|contains|all:
            - 'create'
            - 'binPath'
    filter_optional_dropbox:
        ParentImage|startswith:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
        ParentImage|endswith: '\Dropbox.exe'
    condition: selection and not 1 of filter_optional_*
False Positives

Legitimate administrator or user creates a service for legitimate reasons.

Software installation

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
SimilarDetectionlow

New Service Creation Using PowerShell

Detects the creation of a new service using powershell.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
85ff530b-261d-48c6-a441-facaa2e81e48
Status
test
Level
low
Type
Detection
Created
Mon Feb 20
Modified
Mon Sep 01
Author
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
Path
rules/windows/process_creation/proc_creation_win_sc_create_service.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1543.003
View on GitHub