Silent Pivot: Detecting Fileless Lateral Movement via Service Manager with Trellix NDR By Maulik Maheta and Lishoy Mathew · September 8, 2025 Executive summary The tactics of cyber adversaries continue to evolve as they attempt to bypass security vendors. Rather than traditional malware, today’s attackers can exploit trusted system components in fileless ways to move laterally across networks. Abuse of the Windows Service Control Manager (SCM) is one particularly stealthy technique. Attackers can execute malicious payloads without ever dropping a file on disk by remotely modifying service configurations via built-in APIs such as ChangeServiceConfigA. This type of fileless lateral movement is extremely difficult to detect with traditional security solutions that only monitor endpoints or files. Attackers may use legitimate credentials, avoid writing to disk, and blend into normal administrative behavior, making their actions appear benign. In this blog post, we'll go through a real-world example of this technique, in which an attacker uses tools like SCShell or native Windows commands (sc.exe) to compromise a target machine and silently pivot across the network. This approach emphasizes the increasing use of reliable tools for malicious purposes, similar to the living-off-the-land strategies employed during attacks on Ukrainian infrastructure. We investigate how Trellix Network Detection and Response (NDR) detects these silent attacks. Trellix NDR detects lateral movement…Read More