Skip to content

Hide Navigation Hide TOC

Sc (41be663f-ecc9-4ab6-afeb-c52737f84858)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to manage services

Author: Oddvar Moe

Paths: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

Detection: * Sigma: proc_creation_win_susp_service_creation.yml * Sigma: proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml * Sigma: proc_creation_win_sc_service_path_modification.yml * Splunk: sc_exe_manipulating_windows_services.yml * Elastic: lateral_movement_cmd_service.toml * IOC: Unexpected service creation * IOC: Unexpected service modification[Sc.exe - LOLBAS Project]

Cluster A Galaxy A Cluster B Galaxy B Level
Medusa Ransomware Actors (316a49d5-5fe0-4e0b-a276-f955f4277162) Tidal Groups Sc (41be663f-ecc9-4ab6-afeb-c52737f84858) Tidal Software 1