{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sc.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["lateral-movement","windows","sc.exe"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies the suspicious use of \u003ccode\u003esc.exe\u003c/code\u003e (Service Control Manager) to create, modify, or start services on remote Windows hosts. While system administrators may legitimately use this tool, its use for lateral movement is a known technique used by attackers. This activity is often part of a larger attack campaign, where adversaries attempt to gain access to sensitive data or critical systems. The rule aims to detect unauthorized attempts to manipulate services on remote systems, differentiating between legitimate administrative tasks and malicious activities. The rule is designed for data generated by Elastic Defend, but also supports Sysmon data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003ecreate\u003c/code\u003e command to create a new service on a remote host, specifying a malicious executable as the \u003ccode\u003ebinPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003econfig\u003c/code\u003e command to modify an existing service on a remote host, changing its \u003ccode\u003ebinPath\u003c/code\u003e to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003efailure\u003c/code\u003e command to configure service failure options to execute a malicious command.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003estart\u003c/code\u003e command to start a service on a remote host, triggering the execution of the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable executes on the remote host, providing the attacker with a foothold for further actions.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly established foothold to move laterally to other systems within the network, potentially escalating privileges and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through the created or modified service, allowing continued access even after system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to move laterally within a network, gain unauthorized access to sensitive data, and establish persistence on compromised systems. While the source material doesn\u0026rsquo;t provide specific victim counts or sectors targeted, the impact of successful lateral movement can be significant, potentially leading to data breaches, system disruption, and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Service Command Lateral Movement\u0026rdquo; to your SIEM and tune for your environment based on observed false positives from administrative activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to enhance visibility into \u003ccode\u003esc.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative scripts or tools that use \u003ccode\u003esc.exe\u003c/code\u003e by their process names or paths to reduce false positives, as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the ability of adversaries to move laterally across the network, mitigating the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cmd-service-lateral-movement/","summary":"The rule identifies the use of sc.exe to create, modify, or start services on remote hosts, potentially indicating lateral movement by adversaries.","title":"Suspicious Use of sc.exe for Remote Service Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-cmd-service-lateral-movement/"}],"language":"en","title":"CraftedSignal Threat Feed — Sc.exe","version":"https://jsonfeed.org/version/1.1"}