Abuse of Service Permissions to Hide Services Via Set-Service

calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
Share on: linkedin copy

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Sigma rule (View on GitHub)

 1title: Abuse of Service Permissions to Hide Services Via Set-Service
 2id: 514e4c3a-c77d-4cde-a00f-046425e2301e
 3related:
 4    - id: a537cfc3-4297-4789-92b5-345bfd845ad0
 5      type: derived
 6    - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
 7      type: similar
 8status: test
 9description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
10references:
11    - https://twitter.com/Alh4zr3d/status/1580925761996828672
12    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2022/10/17
15tags:
16    - attack.persistence
17    - attack.defense_evasion
18    - attack.privilege_escalation
19    - attack.t1574.011
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\pwsh.exe'
26        - OriginalFileName: 'pwsh.dll'
27    selection_sddl:
28        # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
29        CommandLine|contains|all:
30            - 'Set-Service '
31            - 'DCLCWPDTSD'
32    selection_cmdlet:
33        CommandLine|contains:
34            - '-SecurityDescriptorSddl '
35            - '-sd '
36    condition: all of selection_*
37falsepositives:
38    - Rare intended use of hidden services
39level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Set-Service (Microsoft.PowerShell.Management) - PowerShell

    This cmdlet is only available on the Windows platform. The Set-Service cmdlet changes the properties of a service such as the Status, Description, DisplayName, and StartupType. Set-Service can start, stop, suspend, or pause a service. To identify a service, enter its service name or submit a service object. Or, send a service name or service object down the pipeline to Set-Service.


    Read More

Related rules

to-top