Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
Sigma rule (View on GitHub)
1title: Suspicious Service DACL Modification Via Set-Service Cmdlet
2id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
3related:
4 - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
5 type: derived
6status: test
7description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
8references:
9 - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
10 - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-10-18
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.t1543.003
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\pwsh.exe'
23 - OriginalFileName: 'pwsh.dll'
24 selection_sddl_flag:
25 CommandLine|contains:
26 - '-SecurityDescriptorSddl '
27 - '-sd '
28 selection_set_service:
29 CommandLine|contains|all:
30 - 'Set-Service '
31 - 'D;;'
32 CommandLine|contains:
33 - ';;;IU'
34 - ';;;SU'
35 - ';;;BA'
36 - ';;;SY'
37 - ';;;WD'
38 condition: all of selection_*
39falsepositives:
40 - Unknown
41level: high
References
-
A little known feature of Windows allows attackers to hide persistent services from view, creating an opportunity to evade threat hunting detection.
Read More -
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE