Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
Sigma rule (View on GitHub)
1title: Suspicious Service DACL Modification Via Set-Service Cmdlet
2id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
3related:
4 - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
5 type: derived
6status: test
7description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
8references:
9 - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
10 - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-10-18
13tags:
14 - attack.persistence
15 - attack.t1543.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\pwsh.exe'
22 - OriginalFileName: 'pwsh.dll'
23 selection_sddl_flag:
24 CommandLine|contains:
25 - '-SecurityDescriptorSddl '
26 - '-sd '
27 selection_set_service:
28 CommandLine|contains|all:
29 - 'Set-Service '
30 - 'D;;'
31 CommandLine|contains:
32 - ';;;IU'
33 - ';;;SU'
34 - ';;;BA'
35 - ';;;SY'
36 - ';;;WD'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: high
References
-
Blog Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming October 4, 2023 SEC670 Prep Quiz Answers Answers for the SEC670 Prep Quiz. For more details about the co...
Read More -
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Driver Load From A Temporary Directory
- Moriya Rootkit - System