Service DACL Modification via sc.exe
Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/16"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for Sentinel One Cloud Funnel Integration"
6min_stack_version = "8.13.0"
7updated_date = "2024/08/06"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Service DACL Modification via sc.exe"
19references = [
20 "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html",
21 "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml",
22 "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
23 "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"
24]
25risk_score = 47
26rule_id = "5188c68e-d3de-4e96-994d-9e242269446f"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Resources: Investigation Guide",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37 "Data Source: SentinelOne",
38 "Data Source: Microsoft Defender for Endpoint"
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and
46 process.args : "sdset" and process.args : "*D;*" and
47 process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1564"
55name = "Hide Artifacts"
56reference = "https://attack.mitre.org/techniques/T1564/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1543"
69name = "Create or Modify System Process"
70reference = "https://attack.mitre.org/techniques/T1543/"
71[[rule.threat.technique.subtechnique]]
72id = "T1543.003"
73name = "Windows Service"
74reference = "https://attack.mitre.org/techniques/T1543/003/"
75
76
77
78[rule.threat.tactic]
79id = "TA0003"
80name = "Persistence"
81reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
-
Main Sigma Rule Repository. Contribute to SigmaHQ/sigma development by creating an account on GitHub.
Read More -
-
Blog Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming October 4, 2023 SEC670 Prep Quiz Answers Answers for the SEC670 Prep Quiz. For more details about the co...
Read More
Related rules
- Local Account TokenFilter Policy Disabled
- Adobe Hijack Persistence
- Port Forwarding Rule Addition
- Registry Persistence via AppCert DLL
- Registry Persistence via AppInit DLL