Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Sigma rule (View on GitHub)
1title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
2id: 22d80745-6f2c-46da-826b-77adaededd74
3related:
4 - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
5 type: similar
6status: test
7description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
8references:
9 - https://twitter.com/Alh4zr3d/status/1580925761996828672
10 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-10-24
13tags:
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.privilege-escalation
17 - attack.t1574.011
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_sddl_flag:
24 ScriptBlockText|contains:
25 - '-SecurityDescriptorSddl '
26 - '-sd '
27 selection_set_service:
28 ScriptBlockText|contains|all:
29 - 'Set-Service '
30 - 'D;;'
31 ScriptBlockText|contains:
32 - ';;;IU'
33 - ';;;SU'
34 - ';;;BA'
35 - ';;;SY'
36 - ';;;WD'
37 condition: all of selection_*
38falsepositives:
39 - Rare intended use of hidden services
40 - Rare FP could occur due to the non linearity of the ScriptBlockText log
41level: high
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request
- Service Security Descriptor Tampering Via Sc.EXE