Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1543.003  ·
Share on: linkedin copy

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Sigma rule (View on GitHub)

 1title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
 2id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
 3related:
 4    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
 5      type: similar
 6    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
 7      type: similar
 8status: test
 9description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
10references:
11    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
12    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
13    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
14author: Jonhnathan Ribeiro, oscd.community
15date: 2020-10-16
16modified: 2023-02-28
17tags:
18    - attack.privilege-escalation
19    - attack.persistence
20    - attack.t1543.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_sc:
26        - Image|endswith: '\sc.exe'
27        - OriginalFileName: 'sc.exe'
28    selection_sdset:
29        CommandLine|contains|all:
30            - 'sdset'
31            - 'D;' # Deny Access
32    selection_trustee:
33        CommandLine|contains:
34            - ';IU' # Interactively logged-on user
35            - ';SU' # Service logon user
36            - ';BA' # Built-in administrators
37            - ';SY' # Local system
38            - ';WD' # Everyone
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: high

References

Related rules

to-top