Pause Windows Service Via Sc.EXE

Rule Info

Name
Pause Windows Service Via Sc.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of the "sc.exe" utility with the "pause" flag. This flag would allow a user to send a PAUSE control request to the a service. While not not all services can be paused. Those that do, do not perform the same when paused. Some services continue to service existing clients but refuse to accept new clients. Others cease to service existing clients and also refuse to accept new clients.
Reference
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742122(v=ws.11)
Date
2024-04-29 00:00:00
Modified
None
Id
d6d72f54-b53d-4196-b127-36d169419c20
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022