Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Sigma rule (View on GitHub)
1title: Possible Privilege Escalation via Weak Service Permissions
2id: d937b75f-a665-4480-88a5-2f20e9f9b22a
3status: test
4description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://pentestlab.blog/2017/03/30/weak-service-permissions/
8author: Teymur Kheirkhabarov
9date: 2019-10-26
10modified: 2024-12-01
11tags:
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1574.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 scbynonadmin:
21 Image|endswith: '\sc.exe'
22 IntegrityLevel:
23 - 'Medium'
24 - 'S-1-16-8192'
25 selection_binpath:
26 CommandLine|contains|all:
27 - 'config'
28 - 'binPath'
29 selection_failure:
30 CommandLine|contains|all:
31 - 'failure'
32 - 'command'
33 condition: scbynonadmin and 1 of selection_*
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request
- Service Security Descriptor Tampering Via Sc.EXE