Execution of Existing Service via Command

Identifies attempts to execute an existing service by running a built-in Windows command.

id:45861478-8ba3-4302-9600-1970d5d8b074 categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Execution techniques:T1035 Service Execution

Query

process where subtype.create and (
  process_name == "sc.exe" and command_line == "* start *" or
  process_name == "net.exe" and match(command_line, ?".*? start *[\s].*") or
  process_name == "powershell.exe" and wildcard(command_line, "*Start-Service*") or
  process_name == "wmic.exe" and wildcard(command_line, "*service*call*startservice*")
)

Contributors

• Endgame