Suspicious Use of sc.exe for Remote Service Manipulation

This detection rule identifies the suspicious use of sc.exe (Service Control Manager) to create, modify, or start services on remote Windows hosts. While system administrators may legitimately use this tool, its use for lateral movement is a known technique used by attackers. This activity is often part of a larger attack campaign, where adversaries attempt to gain access to sensitive data or critical systems. The rule aims to detect unauthorized attempts to manipulate services on remote systems, differentiating between legitimate administrative tasks and malicious activities. The rule is designed for data generated by Elastic Defend, but also supports Sysmon data.

Attack Chain

1. An attacker gains initial access to a compromised host within the network.
2. The attacker uses sc.exe with the create command to create a new service on a remote host, specifying a malicious executable as the binPath.
3. The attacker uses sc.exe with the config command to modify an existing service on a remote host, changing its binPath to point to a malicious executable.
4. The attacker uses sc.exe with the failure command to configure service failure options to execute a malicious command.
5. The attacker uses sc.exe with the start command to start a service on a remote host, triggering the execution of the malicious executable.
6. The malicious executable executes on the remote host, providing the attacker with a foothold for further actions.
7. The attacker leverages the newly established foothold to move laterally to other systems within the network, potentially escalating privileges and accessing sensitive data.
8. The attacker establishes persistence through the created or modified service, allowing continued access even after system reboots.

Impact

Successful exploitation can allow attackers to move laterally within a network, gain unauthorized access to sensitive data, and establish persistence on compromised systems. While the source material doesn’t provide specific victim counts or sectors targeted, the impact of successful lateral movement can be significant, potentially leading to data breaches, system disruption, and financial losses.

Recommendation

• Deploy the Sigma rule “Service Command Lateral Movement” to your SIEM and tune for your environment based on observed false positives from administrative activity.
• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to enhance visibility into sc.exe activity.
• Review and whitelist legitimate administrative scripts or tools that use sc.exe by their process names or paths to reduce false positives, as described in the rule’s documentation.
• Implement network segmentation to limit the ability of adversaries to move laterally across the network, mitigating the impact of successful exploitation.