Sc (41be663f-ecc9-4ab6-afeb-c52737f84858)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to manage services
Author: Oddvar Moe
Paths: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
Detection: * Sigma: proc_creation_win_susp_service_creation.yml * Sigma: proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml * Sigma: proc_creation_win_sc_service_path_modification.yml * Splunk: sc_exe_manipulating_windows_services.yml * Elastic: lateral_movement_cmd_service.toml * IOC: Unexpected service creation * IOC: Unexpected service modification[Sc.exe - LOLBAS Project]
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Medusa Ransomware Actors (316a49d5-5fe0-4e0b-a276-f955f4277162) | Tidal Groups | Sc (41be663f-ecc9-4ab6-afeb-c52737f84858) | Tidal Software | 1 |