Service Stop or Disable with sc.exe¶

Detects when running services are stopped with the sc.exe command

id:	591da84a-0382-40e7-afc8-12bd58c40425
categories:	enrich
confidence:	low
os:	windows
created:	7/26/2019
updated:	7/26/2019

MITRE ATT&CK™ Mapping¶

tactics:	Impact
techniques:	T1489 Service Stop

Query¶

process where subtype.create and
  process_name == "sc.exe" and
  wildcard(command_line, "* stop*", "* config *disabled*")

Contributors¶

Endgame

Read the Docs v: latest

Versions: latest

Downloads: pdf; html; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.