Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1543.003 ·

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Sigma rule (View on GitHub)

 1title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
 2id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
 3related:
 4    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
 5      type: similar
 6status: test
 7description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
 8references:
 9    - https://twitter.com/0gtweet/status/1628720819537936386
10    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
11    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023-02-28
14modified: 2025-10-22
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1543.003
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_sc:
24        - Image|endswith: '\sc.exe'
25        - OriginalFileName: 'sc.exe'
26    selection_sdset:
27        CommandLine|contains|all:
28            - 'sdset'
29            - 'A;' # Allow Access
30    selection_trustee:
31        CommandLine|contains:
32            - ';IU' # Interactively logged-on user
33            - ';SU' # Service logon user
34            - ';BA' # Built-in administrators
35            - ';SY' # Local system
36            - ';WD' # Everyone
37    filter_optional_hexnode:
38        ParentImage: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
39    condition: all of selection_* and not 1 of filter_optional_*
40falsepositives:
41    - Unknown
42level: high

References

Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

Read More
Understanding SDDL Syntax - UW-IT

Loading... Skip to page content Skip to page content

Read More
SID Strings - Win32 apps

Explains the strings used by SDDLs.

Read More

Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Sigma rule (View on GitHub)

References

Understanding SDDL Syntax - UW-IT

SID Strings - Win32 apps

Related rules