{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/service-creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Windows Security Event Logs"],"_cs_severities":["low"],"_cs_tags":["privilege-escalation","defense-evasion","execution","windows","service-creation"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the Service Control utility (sc.exe) is executed from within a script interpreter, such as cmd.exe, PowerShell, or wscript.exe. Attackers may leverage this behavior to create, modify, or start Windows services, often with the intent to elevate privileges or establish persistence on a compromised system. The sc.exe is a legitimate Windows command-line tool used for managing services. Abusing this tool allows attackers to perform malicious actions under the guise of legitimate system administration. This detection is designed to identify anomalous use of sc.exe that deviates from typical administrative tasks, focusing on instances where it\u0026rsquo;s spawned from scripting environments often used for malicious activities. The rule specifically excludes service creations performed by the SYSTEM user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script interpreter (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eWithin the script interpreter, the attacker uses sc.exe to manage Windows services.\u003c/li\u003e\n\u003cli\u003eThe sc.exe command is used with arguments such as \u0026ldquo;create\u0026rdquo;, \u0026ldquo;start\u0026rdquo;, \u0026ldquo;stop\u0026rdquo;, \u0026ldquo;delete\u0026rdquo;, or \u0026ldquo;config\u0026rdquo; to manipulate service configurations.\u003c/li\u003e\n\u003cli\u003eA new service is created or an existing service is modified to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious service is started, allowing the attacker to execute code with elevated privileges (SYSTEM).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by ensuring the malicious service automatically starts upon system reboot.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the created service to execute additional malicious commands or maintain remote access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to complete system compromise with the attacker gaining SYSTEM level privileges. This can allow for lateral movement within the network, data exfiltration, or installation of persistent backdoors. While the frequency of this specific technique may be low, the potential impact is high due to the elevated privileges gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService Control Spawning via Script Interpreter\u003c/code\u003e to your SIEM to detect this specific behavior and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for sc.exe being executed by script interpreters like PowerShell or cmd.exe (as covered in the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of sc.exe being used with the arguments \u0026ldquo;create\u0026rdquo;, \u0026ldquo;start\u0026rdquo;, \u0026ldquo;stop\u0026rdquo;, \u0026ldquo;delete\u0026rdquo;, or \u0026ldquo;config\u0026rdquo; from scripting environments to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eEnsure proper access controls are in place to limit the ability of users to create or modify services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-service-control-script-spawn/","summary":"Detection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.","title":"Service Control Executed from Script Interpreters","url":"https://feed.craftedsignal.io/briefs/2024-01-02-service-control-script-spawn/"}],"language":"en","title":"CraftedSignal Threat Feed — Service-Creation","version":"https://jsonfeed.org/version/1.1"}