Service DACL Abuse To Hide Services Via Sc.EXE

calendar Aug 12, 2024 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.t1574.011  ·
Share on: linkedin copy

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Sigma rule (View on GitHub)

 1title: Service DACL Abuse To Hide Services Via Sc.EXE
 2id: a537cfc3-4297-4789-92b5-345bfd845ad0
 3related:
 4    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
 5      type: similar
 6    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
 7      type: similar
 8status: test
 9description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
10references:
11    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
12    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
13    - https://twitter.com/Alh4zr3d/status/1580925761996828672
14    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
15author: Andreas Hunkeler (@Karneades)
16date: 2021-12-20
17modified: 2022-08-08
18tags:
19    - attack.persistence
20    - attack.defense-evasion
21    - attack.privilege-escalation
22    - attack.t1574.011
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - Image|endswith: '\sc.exe'
29        - OriginalFileName: 'sc.exe'
30    selection_cli:
31        CommandLine|contains|all:
32            - 'sdset'
33            # Summary of permissions
34            #   DC: Delete All Child Objects
35            #   LC: List Contents
36            #   WP: Write All Properties
37            #   DT: Delete Subtree
38            #   SD: Delete
39            - 'DCLCWPDTSD'
40    condition: all of selection_*
41falsepositives:
42    - Unknown
43level: high

References

  • Threat hunting in large datasets by clustering security events

    By Tiago Pereira. * Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. * Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. * This post walks through threat hunting on large datasets by


    Read More

  • SANS Cyber Security Certifications & Research

    Blog Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming October 4, 2023 SEC670 Prep Quiz Answers Answers for the SEC670 Prep Quiz. For more details about the co...


    Read More

  • x.com


    Read More

  • Understanding SDDL Syntax

    What follows is an appendix which pieces together several disparate Microsoft documents on the SDDL syntax. The SDDL syntax is important if you do coding of directory security or manually edit a...


    Read More

Related rules

to-top