Service Startup Type Change Via Wmic.EXE

Original Source: [Sigma source]

Title: Service Startup Type Change Via Wmic.EXE
Status: experimental
Description:Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
References:
-https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-04-27
modified:None
Tags:

-'attack.execution'
-'attack.t1047'
-'attack.defense-evasion'
-'attack.t1562.001'

Logsource:

category: process_creation
product: windows

Detection:
selection_img:
Image|endswith:'\WMIC.exe' OriginalFileName:'wmic.exe' selection_cli:
CommandLine|contains|all:
-' service '
-'ChangeStartMode'

CommandLine|contains:
-'Manual'
-'Disabled'

condition:all of selection_*
Falsepositives:
-Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
Level: medium

Sign Up to Personalize and Manage Your Detection

Service Startup Type Change Via Wmic.EXE