Service Startup Type Change Via Wmic.EXE

Rule Info

Name
Service Startup Type Change Via Wmic.EXE
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
Reference
https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
Date
2026-04-27 00:00:00
Modified
None
Id
c0514f28-fdae-42df-b886-06e2b2bc5b37
Tags
attack.execution attack.defense-impairment attack.t1047 attack.t1685
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c0514f28-fdae-42df-b886-06e2b2bc5b37

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Swachchhanda Shrawan Poudel
Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules
2026-04-28
180991bc8
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022