Service DACL Modification via sc.exe
Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/16"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/11/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Service DACL Modification via sc.exe"
19references = [
20 "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html",
21 "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml",
22 "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
23 "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"
24]
25risk_score = 47
26rule_id = "5188c68e-d3de-4e96-994d-9e242269446f"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Resources: Investigation Guide",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37 "Data Source: SentinelOne",
38 "Data Source: Microsoft Defender for Endpoint",
39 "Data Source: Crowdstrike"
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46 (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and
47 process.args : "sdset" and process.args : "*D;*" and
48 process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*")
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1564"
56name = "Hide Artifacts"
57reference = "https://attack.mitre.org/techniques/T1564/"
58
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1543"
70name = "Create or Modify System Process"
71reference = "https://attack.mitre.org/techniques/T1543/"
72[[rule.threat.technique.subtechnique]]
73id = "T1543.003"
74name = "Windows Service"
75reference = "https://attack.mitre.org/techniques/T1543/003/"
76
77
78
79[rule.threat.tactic]
80id = "TA0003"
81name = "Persistence"
82reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
-
Main Sigma Rule Repository. Contribute to SigmaHQ/sigma development by creating an account on GitHub.
Read More -
-
Blog Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming October 4, 2023 SEC670 Prep Quiz Answers Answers for the SEC670 Prep Quiz. For more details about the co...
Read More
Related rules
- IIS HTTP Logging Disabled
- Remote Desktop Enabled in Windows Firewall by Netsh
- Suspicious CertUtil Commands
- Windows Firewall Disabled via PowerShell
- Adding Hidden File Attribute via Attrib