Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Sigma rule (View on GitHub)
1title: Abuse of Service Permissions to Hide Services Via Set-Service
2id: 514e4c3a-c77d-4cde-a00f-046425e2301e
3related:
4 - id: a537cfc3-4297-4789-92b5-345bfd845ad0
5 type: derived
6 - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
7 type: similar
8status: test
9description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
10references:
11 - https://twitter.com/Alh4zr3d/status/1580925761996828672
12 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022-10-17
15tags:
16 - attack.persistence
17 - attack.defense-evasion
18 - attack.privilege-escalation
19 - attack.t1574.011
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\pwsh.exe'
26 - OriginalFileName: 'pwsh.dll'
27 selection_sddl:
28 # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
29 CommandLine|contains|all:
30 - 'Set-Service '
31 - 'DCLCWPDTSD'
32 selection_cmdlet:
33 CommandLine|contains:
34 - '-SecurityDescriptorSddl '
35 - '-sd '
36 condition: all of selection_*
37falsepositives:
38 - Rare intended use of hidden services
39level: high
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request
- Service Security Descriptor Tampering Via Sc.EXE
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS