Skip to main content
Splunk Lantern

Sc.exe manipulating Windows services

It is unusual for a service to be created or modified using the sc.exe utility, so you want to look for instances of this occurring so you can investigate further.

Attackers often create a new service to host their malicious code, or they may take a non-critical service or one that is disabled and modify it to point to their malware, enabling the service if necessary. It is unusual for a service to be created or modified using the sc.exe utility, so you want to look for instances of this occurring so you can investigate further.

Data required 

System log data

Procedure

  1. To complete this process, your deployment needs to ingest process activity from your hosts and logs with both the process name and command line from your endpoints. You should also ensure you are ingesting normalized endpoint data, populating the Processes node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") BY Processes.process_name Processes.parent_process_name Processes.dest Processes.user 
|rename "Processes.*" as "*" 
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

|tstats summariesonly=true allow_old_summaries=true values(Processes.process) AS process min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") BY Processes.process_name Processes.parent_process_name Processes.dest Processes.user 

Query the Endpoint.Processes data model object for the process name “sc.exe” that has command line key words containing "create" and "configure." Return a list of process name, parent process name, the destination and user information.

|rename "Processes.*" as "*" 

Rename the data model object for better readability.

|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 

|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)

Convert these times into readable strings.

Next steps

Using sc.exe to create or configure Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.

Investigate web and authentication activity on the destination. If you have the Splunk Enterprise Security app, you can leverage the Threat Intel Framework to watch for traffic from known malicious IP addresses.

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

Finally, you might be interested in other processes associated with the Detecting techniques in the Orangeworm attack groupRecognizing improper use of system administration tools and Detecting lateral movement with Active Directory data use cases.