S
Critical RiskWindowsLegitimateCommonly Abusedsc.exeSYSTEM UTILITYsc.exe - Service Control Manager Security Analysis
sc.exe is the Windows Service Control Manager command-line tool. Attackers heavily abuse sc.exe to create malicious services for persistence, modify service configurations, and disable security software. Service creation with sc.exe is a primary persistence mechanism in Windows attacks.
Risk Summary
CRITICAL priority for SOC triage. sc.exe is commonly abused for persistence and defense evasion. Any "sc create", "sc config", or service modification commands require **immediate investigation**. Service creation is a favorite persistence technique.
Overview
What is sc.exe?
sc.exe communicates with the Service Control Manager to manage Windows services.
Legitimate Functions
Service Management:
- Query service status
- Start/stop services
- Create/delete services
- Modify service configuration
Security Significance
- Persistence Vector: #1 Windows persistence
- Defense Evasion: Disable security services
- Privilege Escalation: Service configurations
- Remote Execution: Supports remote targets
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\sc.exe |
| Parent | cmd.exe, powershell.exe |
| User | Administrator |
| Context | System administration |
Legitimate Commands
sc query
sc qc ServiceName
sc start ServiceName
sc stop ServiceName
Common Locations
C:\Windows\System32\sc.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: sc query
sc start KnownService
sc stop KnownService
Context: System administration
SUSPICIOUS
Command: sc create MalService binPath= ...
sc config ServiceName start= auto
sc config WinDefend start= disabled
sc \\remote create ...
Context: Unknown service creation
Disabling security software
High-Risk Commands
| Command | Risk | Description |
|---|---|---|
| sc create | CRITICAL | Creates new service |
| sc config | HIGH | Modifies service |
| sc delete | HIGH | Removes service |
| sc \\remote | CRITICAL | Remote service manipulation |
Abuse Techniques
Attack Techniques
Technique #1: Service Persistence (T1543.003)
Create Malicious Service:
sc create MaliciousSvc binPath= "C:\malware\payload.exe" start= auto
sc start MaliciousSvc
Technique #2: Disable Security Software (T1562.001)
sc config WinDefend start= disabled
sc stop WinDefend
Technique #3: Remote Service Creation (T1021.002)
sc \\target create RemoteSvc binPath= "cmd /c C:\malware.exe"
Technique #4: Service Binary Modification (T1574.010)
sc config LegitService binPath= "C:\malware\payload.exe"
Detection Guidance
Detection Strategies
Priority #1: Service Creation
Sigma Rule:
title: Service Creation via SC
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains: 'create'
condition: selection
level: high
Priority #2: Security Service Modification
Process = "sc.exe" AND
CommandLine CONTAINS ["WinDefend", "Sense", "MsMpEng"]
→ ALERT: CRITICAL - Security tampering
Priority #3: Remote Service Operations
Process = "sc.exe" AND
CommandLine MATCHES "\\\\.*"
→ ALERT: CRITICAL - Remote service manipulation
Priority #4: Service Config Changes
Process = "sc.exe" AND
CommandLine CONTAINS "config"
→ ALERT: HIGH - Review service changes
Remediation Steps
Protection and Remediation
Defense: Monitor Service Changes
Enable Windows Security Event logging:
- Event ID 7045: Service installed
- Event ID 4697: Service installed (audit)
Defense: Restrict sc.exe
Limit service management to specific admin accounts.
If Compromise Suspected
- List all services:
sc query type= all - Check for newly created services
- Review service binary paths
- Verify service signatures
- Remove malicious services
- Hunt for related persistence
Investigation Checklist
Investigation Checklist
- Review full command line
- Check for service creation commands
- Verify service binary paths
- Check for security service tampering
- Review remote operations
- List recently created services
- Verify service binary signatures
- Check service startup types