Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Sigma rule (View on GitHub)
1title: Possible Privilege Escalation via Weak Service Permissions
2id: d937b75f-a665-4480-88a5-2f20e9f9b22a
3status: test
4description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://pentestlab.blog/2017/03/30/weak-service-permissions/
8author: Teymur Kheirkhabarov
9date: 2019/10/26
10modified: 2022/07/14
11tags:
12 - attack.persistence
13 - attack.defense_evasion
14 - attack.privilege_escalation
15 - attack.t1574.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 scbynonadmin:
21 Image|endswith: '\sc.exe'
22 IntegrityLevel: 'Medium'
23 selection_binpath:
24 CommandLine|contains|all:
25 - 'config'
26 - 'binPath'
27 selection_failure:
28 CommandLine|contains|all:
29 - 'failure'
30 - 'command'
31 condition: scbynonadmin and 1 of selection_*
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- UAC Bypass With Fake DLL
- Potential UAC Bypass Via Sdclt.EXE
- UAC Bypass Tools Using ComputerDefaults
- UAC Bypass Using Event Viewer RecentViews
- Rundll32 Registered COM Objects