Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Sigma rule (View on GitHub)
1title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
2id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
3related:
4 - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
5 type: similar
6status: test
7description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
8references:
9 - https://twitter.com/0gtweet/status/1628720819537936386
10 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
11 - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023/02/28
14tags:
15 - attack.persistence
16 - attack.t1543.003
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_sc:
22 - Image|endswith: '\sc.exe'
23 - OriginalFileName: 'sc.exe'
24 selection_sdset:
25 CommandLine|contains|all:
26 - 'sdset'
27 - 'A;' # Allow Access
28 selection_trustee:
29 CommandLine|contains:
30 - ';IU' # Interactively logged-on user
31 - ';SU' # Service logon user
32 - ';BA' # Built-in administrators
33 - ';SY' # Local system
34 - ';WD' # Everyone
35 condition: all of selection_*
36falsepositives:
37 - Unknown
38level: high
References
-
-
What follows is an appendix which pieces together several disparate Microsoft documents on the SDDL syntax. The SDDL syntax is important if you do coding of directory security or manually edit a...
Read More -
Related rules
- PSEXEC Remote Execution File Artefact
- Sysinternals PsService Execution
- Remote Access Tool Services Have Been Installed - Security
- StoneDrill Service Install
- Turla PNG Dropper Service