Uncommon Remote Service Start via sc.exe

Uncommon Remote Service Start via sc.exe
Analytics alert indicates that the Service Control (sc.exe) command was used to start a remote service.


10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data


The service control command was executed on an endpoint to start a service on a remote host. For additional context, this alert identifies the full command used to start the service and the total number of endpoints on which the command was run in the last 14 days.

Attacker's Goals

The Service Control command is used to create, start, stop, query, or delete Windows services. Attackers can use the command to attempt to execute and persist a binary, command, or script.

Recommended For You