Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Sigma rule (View on GitHub)
1title: Possible Privilege Escalation via Weak Service Permissions
2id: d937b75f-a665-4480-88a5-2f20e9f9b22a
3status: test
4description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://pentestlab.blog/2017/03/30/weak-service-permissions/
8author: Teymur Kheirkhabarov
9date: 2019-10-26
10modified: 2022-07-14
11tags:
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1574.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 scbynonadmin:
21 Image|endswith: '\sc.exe'
22 IntegrityLevel: 'Medium'
23 selection_binpath:
24 CommandLine|contains|all:
25 - 'config'
26 - 'binPath'
27 selection_failure:
28 CommandLine|contains|all:
29 - 'failure'
30 - 'command'
31 condition: scbynonadmin and 1 of selection_*
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request
- Service Security Descriptor Tampering Via Sc.EXE