Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

 1title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
 2id: 22d80745-6f2c-46da-826b-77adaededd74
 3related:
 4    - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
 5      type: similar
 6status: test
 7description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
 8references:
 9    - https://twitter.com/Alh4zr3d/status/1580925761996828672
10    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-10-24
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.execution
17    - attack.stealth
18    - attack.t1574.011
19logsource:
20    product: windows
21    category: ps_script
22    definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24    selection_sddl_flag:
25        ScriptBlockText|contains:
26            - '-SecurityDescriptorSddl '
27            - '-sd '
28    selection_set_service:
29        ScriptBlockText|contains|all:
30            - 'Set-Service '
31            - 'D;;'
32        ScriptBlockText|contains:
33            - ';;;IU'
34            - ';;;SU'
35            - ';;;BA'
36            - ';;;SY'
37            - ';;;WD'
38    condition: all of selection_*
39falsepositives:
40    - Rare intended use of hidden services
41    - Rare FP could occur due to the non linearity of the ScriptBlockText log
42level: high