Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

calendar Feb 28, 2023 · attack.persistence attack.t1543.003  ·
Share on: linkedin copy

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Sigma rule (View on GitHub)

 1title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
 2id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
 3related:
 4    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
 5      type: similar
 6    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
 7      type: similar
 8status: test
 9description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
10references:
11    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
12    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
13    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
14author: Jonhnathan Ribeiro, oscd.community
15date: 2020/10/16
16modified: 2023/02/28
17tags:
18    - attack.persistence
19    - attack.t1543.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_sc:
25        - Image|endswith: '\sc.exe'
26        - OriginalFileName: 'sc.exe'
27    selection_sdset:
28        CommandLine|contains|all:
29            - 'sdset'
30            - 'D;' # Deny Access
31    selection_trustee:
32        CommandLine|contains:
33            - ';IU' # Interactively logged-on user
34            - ';SU' # Service logon user
35            - ';BA' # Built-in administrators
36            - ';SY' # Local system
37            - ';WD' # Everyone
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top