Uncommon Service Create/Config

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

System Services: Service Execution (T1569.002)

Severity

Medium

Description

The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

Attacker's Goals

Evading security controls and possibly persisting malware.

Investigative actions

Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.