Service Stop or Disable with sc.exe

Detects when running services are stopped with the sc.exe command

id:591da84a-0382-40e7-afc8-12bd58c40425 categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Impact techniques:T1489 Service Stop

Query

process where subtype.create and
  process_name == "sc.exe" and
  wildcard(command_line, "* stop*", "* config *disabled*")

Contributors

• Endgame