Uncommon Service Create/Config

The
Uncommon Service Create/Config
alert indicates that the Service Control (sc.exe) command was used to create a new service or configure an existing one.

Synopsis

Every 10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Medium

Description

The service control command was executed on an endpoint to create a new service or configure an existing one. This is suspicious, as the executable set to be run as a service is an often-abused (though legitimate) one, and the same command line was seen on only a handful of endpoints in the last 14 days, if at all.

Attacker's Goals

Evading security controls and possibly persisting malware.

Investigative Actions

Check whether the service created, or the configuration change to an existing service, is benign or normal for the host and/or user performing it.

Recommended For You