← Library
splApache-2.0from splunk/security_content

Excessive number of service control start as disabled

The following analytic detects an excessive number of `sc.exe` processes launched with the command line argument `start= disabled` within a short period. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and process GUIDs. This activity is significant as it may indicate an attempt to disable critical services, potentially impairing system defenses. If confirmed malicious, this behavior could allow an attacker to disrupt security mechanisms, hinder incident response, and maintain control over the compromised system.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.action) as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_path) as process_path values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name = "sc.exe"
    AND
    Processes.process="*start= disabled*"
  BY Processes.dest Processes.user Processes.parent_process
     Processes.process_name Processes.parent_process_id, _time
     span=30m
| where distinct_cmdlines >= 8
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_number_of_service_control_start_as_disabled_filter`
Excessive number of service control start as disabled · SPL rule | DetectionLint