Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Security Descriptors - ScriptBlock
2id: 2f77047c-e6e9-4c11-b088-a3de399524cd
3status: test
4description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
5references:
6 - https://github.com/HarmJ0y/DAMP
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-05
9tags:
10 - attack.persistence
11 - attack.defense-evasion
12 - attack.privilege-escalation
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'win32_Trustee'
21 - 'win32_Ace'
22 - '.AccessMask'
23 - '.AceType'
24 - '.SetSecurityDescriptor'
25 ScriptBlockText|contains:
26 - '\Lsa\JD'
27 - '\Lsa\Skew1'
28 - '\Lsa\Data'
29 - '\Lsa\GBG'
30 condition: selection
31falsepositives:
32 - Unknown
33level: high
References
-
The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification - HarmJ0y/DAMP
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow