Uncommon remote service start via sc.exe

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Malicious Service Analytics

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

System Services: Service Execution (T1569.002)

Severity

Low

Description

The Service Control command (sc.exe) is used to create, start, stop, query, or delete Windows services. Adversaries may attempt to use the command to execute and persist a binary, command, or script.

Attacker's Goals

The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.

Investigative actions

  • Check whether the executed process is benign and if this was desired behavior as part of its normal execution flow.
  • Check the remote host for any evidence of the executed service and investigate it.