New Service Creation Using Sc.EXE

Rule Info

Name
New Service Creation Using Sc.EXE
Author
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
Description
Detects the creation of a new service using the "sc.exe" utility.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
Date
2023-02-20 00:00:00
Modified
None
Id
85ff530b-261d-48c6-a441-facaa2e81e48
Tags
attack.persistence attack.privilege-escalation attack.t1543.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=85ff530b-261d-48c6-a441-facaa2e81e48

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
feat: multiple fixes and updates
2023-02-21
63888f7a5
frack113
order yaml
2022-10-28
1f8e37351
Nasreddine Bencherchali
New Rules + Update
2022-07-14
16b294502
Nasreddine Bencherchali
Update Ref+Selection 2
2022-07-11
12d187bc9
frack113
Normalization of rule names
2022-02-22
8bb3379b6
frack113
remove invalid tag
2022-01-19
4631d0c48
frack113
Change status for old rules
2021-11-27
f04a6bb1c
frack113
Change status for old rules
2021-11-27
01dc930c1
leegengyu
Updated ART reference links from .yaml
2021-07-06
69d5d9734
Yugoslavskiy Daniil
review windows/process_creation part 4
2020-09-02
11e0f794d
Bar Haim
Update win_new_service_creation.yml
2020-08-16
4168f1e43
Ivan Kirillov
Fixed indentation
2020-06-16
5c0bb0e94
Ivan Kirillov
Initial round of subtechnique updates
2020-06-16
0fbfcc6ba
Thomas Patzke
Rule fixes
2020-02-20
373424f14
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022