← Back to SOC feed Coverage →

Turning off services using sc exe

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-25T23:00:00Z · Confidence: medium

Hunt Hypothesis

This query checks for attempts to turn off at least 10 existing services using sc.exe.

KQL Query

// Look for sc.exe disabling services
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled"
| summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where ScDisableCount > 10

Analytic Rule Definition

id: 5c446a44-748e-48d3-9b13-fbd7dde5b164
name: Turning off services using sc exe
description: |
  This query checks for attempts to turn off at least 10 existing services using sc.exe.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Ransomware
query: |
  // Look for sc.exe disabling services
  DeviceProcessEvents
  | where Timestamp > ago(1d)
  | where ProcessCommandLine has "sc" and ProcessCommandLine has "config" and ProcessCommandLine has "disabled"
  | summarize ScDisableCount = dcount(ProcessCommandLine), ScDisableList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
  | where ScDisableCount > 10

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/Turning off services using sc exe.yaml