Service DACL Modification via sc.exe
Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/16"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Service DACL Modification via sc.exe"
19references = [
20 "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html",
21 "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml",
22 "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
23 "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"
24]
25risk_score = 47
26rule_id = "5188c68e-d3de-4e96-994d-9e242269446f"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Resources: Investigation Guide",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37 "Data Source: SentinelOne",
38 "Data Source: Microsoft Defender for Endpoint"
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 (process.name : "sc.exe" or ?process.pe.original_file_name : "sc.exe") and
46 process.args : "sdset" and process.args : "*D;*" and
47 process.args : ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1564"
55name = "Hide Artifacts"
56reference = "https://attack.mitre.org/techniques/T1564/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1543"
69name = "Create or Modify System Process"
70reference = "https://attack.mitre.org/techniques/T1543/"
71[[rule.threat.technique.subtechnique]]
72id = "T1543.003"
73name = "Windows Service"
74reference = "https://attack.mitre.org/techniques/T1543/003/"
75
76
77
78[rule.threat.tactic]
79id = "TA0003"
80name = "Persistence"
81reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools