Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
Sigma rule (View on GitHub)
1title: Suspicious Service DACL Modification Via Set-Service Cmdlet
2id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
3related:
4 - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
5 type: derived
6status: test
7description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
8references:
9 - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
10 - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/10/18
13tags:
14 - attack.persistence
15 - attack.t1543.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\pwsh.exe'
22 - OriginalFileName: 'pwsh.dll'
23 selection_sddl_flag:
24 CommandLine|contains:
25 - '-SecurityDescriptorSddl '
26 - '-sd '
27 selection_set_service:
28 CommandLine|contains|all:
29 - 'Set-Service '
30 - 'D;;'
31 CommandLine|contains:
32 - ';;;IU'
33 - ';;;SU'
34 - ';;;BA'
35 - ';;;SY'
36 - ';;;WD'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: high
References
-
Offensive Operations, Pen Testing, and Red Teaming, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming November 16, 2023 A Visual Summary of SANS HackFest Summit Check out these ...
Read More -
Related rules
- Moriya Rootkit - System
- New Kernel Driver Via SC.EXE
- Suspicious New Service Creation
- Moriya Rootkit File Created
- OilRig APT Activity