Lock Windows Service Control Manager Database Via Sc.EXE

Rule Info

Name
Lock Windows Service Control Manager Database Via Sc.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of the "sc.exe" utility with the "lock" flag in order to lock the Service Control Manager database. Locking the Service Control Manager's database prevents any services from starting. This make sure that a service will not be started after it has been stopped. This can enable attackers to perform an action (for example, deleting the service) without interference.
Reference
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742176(v=ws.11)
Date
2024-04-29 00:00:00
Modified
None
Id
f6ef57fb-1b9f-40a5-84e8-967b0478121a
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022