title: Service Starting
description: Detection of sc.exe start or start-service.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Execution
   technique: T1569
   subtechnique: 002
operating_system: windows
query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine
  ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe"
false_positives: Manual service actions.
tags: null