You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023/03/05
modified: 2024/01/18
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'sc.exe'
- Image|endswith: '\sc.exe'
selection_cli:
CommandLine|contains: ' stop '
condition: all of selection_*
falsepositives:
- There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly