Suspicious Service DACL Modification Via Set-Service Cmdlet

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

Sigma rule (View on GitHub)

 1title: Suspicious Service DACL Modification Via Set-Service Cmdlet
 2id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
 3related:
 4    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
 5      type: derived
 6status: test
 7description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
 8references:
 9    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
10    - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-10-18
13tags:
14    - attack.persistence
15    - attack.t1543.003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\pwsh.exe'
22        - OriginalFileName: 'pwsh.dll'
23    selection_sddl_flag:
24        CommandLine|contains:
25            - '-SecurityDescriptorSddl '
26            - '-sd '
27    selection_set_service:
28        CommandLine|contains|all:
29            - 'Set-Service '
30            - 'D;;'
31        CommandLine|contains:
32            - ';;;IU'
33            - ';;;SU'
34            - ';;;BA'
35            - ';;;SY'
36            - ';;;WD'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top