anavem.
Critical RiskWindowsLegitimateCommonly Abused
sc.exeSYSTEM UTILITY

sc.exe - Service Control Manager Security Analysis

sc.exe is the **Windows Service Control Manager** command-line tool. Attackers heavily abuse sc.exe to **create malicious services for persistence**, **modify service configurations**, and **disable security software**. Service creation with sc.exe is a **primary persistence mechanism** in Windows attacks.

Risk Summary

CRITICAL priority for SOC triage. sc.exe is commonly abused for persistence and defense evasion. Any "sc create", "sc config", or service modification commands require **immediate investigation**. Service creation is a favorite persistence technique.

Overview

What is sc.exe?

sc.exe communicates with the Service Control Manager to manage Windows services.

Legitimate Functions

Service Management:

  • Query service status
  • Start/stop services
  • Create/delete services
  • Modify service configuration

Security Significance

  • Persistence Vector: #1 Windows persistence
  • Defense Evasion: Disable security services
  • Privilege Escalation: Service configurations
  • Remote Execution: Supports remote targets

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\sc.exe
Parentcmd.exe, powershell.exe
UserAdministrator
ContextSystem administration

Legitimate Commands

sc query
sc qc ServiceName
sc start ServiceName
sc stop ServiceName

Common Locations

C:\Windows\System32\sc.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Command:     sc query
             sc start KnownService
             sc stop KnownService
Context:     System administration

SUSPICIOUS

Command:     sc create MalService binPath= ...
             sc config ServiceName start= auto
             sc config WinDefend start= disabled
             sc \\remote create ...
Context:     Unknown service creation
             Disabling security software

High-Risk Commands

CommandRiskDescription
sc createCRITICALCreates new service
sc configHIGHModifies service
sc deleteHIGHRemoves service
sc \\remoteCRITICALRemote service manipulation

Abuse Techniques

Attack Techniques

Technique #1: Service Persistence (T1543.003)

Create Malicious Service:

sc create MaliciousSvc binPath= "C:\malware\payload.exe" start= auto
sc start MaliciousSvc

Technique #2: Disable Security Software (T1562.001)

sc config WinDefend start= disabled
sc stop WinDefend

Technique #3: Remote Service Creation (T1021.002)

sc \\target create RemoteSvc binPath= "cmd /c C:\malware.exe"

Technique #4: Service Binary Modification (T1574.010)

sc config LegitService binPath= "C:\malware\payload.exe"

Detection Guidance

Detection Strategies

Priority #1: Service Creation

Sigma Rule:

title: Service Creation via SC
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\sc.exe'
    CommandLine|contains: 'create'
  condition: selection
level: high

Priority #2: Security Service Modification

Process = "sc.exe" AND
CommandLine CONTAINS ["WinDefend", "Sense", "MsMpEng"]
→ ALERT: CRITICAL - Security tampering

Priority #3: Remote Service Operations

Process = "sc.exe" AND
CommandLine MATCHES "\\\\.*"
→ ALERT: CRITICAL - Remote service manipulation

Priority #4: Service Config Changes

Process = "sc.exe" AND
CommandLine CONTAINS "config"
→ ALERT: HIGH - Review service changes

Remediation Steps

Protection and Remediation

Defense: Monitor Service Changes

Enable Windows Security Event logging:

  • Event ID 7045: Service installed
  • Event ID 4697: Service installed (audit)

Defense: Restrict sc.exe

Limit service management to specific admin accounts.

If Compromise Suspected

  1. List all services: sc query type= all
  2. Check for newly created services
  3. Review service binary paths
  4. Verify service signatures
  5. Remove malicious services
  6. Hunt for related persistence

Investigation Checklist

Investigation Checklist

  • Review full command line
  • Check for service creation commands
  • Verify service binary paths
  • Check for security service tampering
  • Review remote operations
  • List recently created services
  • Verify service binary signatures
  • Check service startup types

MITRE ATT&CK Techniques

T1543.003T1562.001T1021.002T1574.010

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026