Possible Privilege Escalation via Weak Service Permissions

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Sigma rule (View on GitHub)

 1title: Possible Privilege Escalation via Weak Service Permissions
 2id: d937b75f-a665-4480-88a5-2f20e9f9b22a
 3status: test
 4description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 7    - https://pentestlab.blog/2017/03/30/weak-service-permissions/
 8author: Teymur Kheirkhabarov
 9date: 2019-10-26
10modified: 2024-12-01
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.t1574.011
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    scbynonadmin:
21        Image|endswith: '\sc.exe'
22        IntegrityLevel:
23            - 'Medium'
24            - 'S-1-16-8192'
25    selection_binpath:
26        CommandLine|contains|all:
27            - 'config'
28            - 'binPath'
29    selection_failure:
30        CommandLine|contains|all:
31            - 'failure'
32            - 'command'
33    condition: scbynonadmin and 1 of selection_*
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top