Service Path Modification with sc.exe¶
Identifies usage of the sc.exe command to modify existing services.
| id: | 15c17f6b-29c5-43a4-8adc-d298f2c4c141 |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1031 Modify Existing Service |
Query¶
process where subtype.create and
process_name == "sc.exe" and
wildcard(command_line, "* config *", "*binPath*")