Service DACL Abuse To Hide Services Via Sc.EXE

calendar Oct 17, 2023 · attack.persistence attack.defense_evasion attack.privilege_escalation attack.t1574.011  ·
Share on: linkedin copy

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Sigma rule (View on GitHub)

 1title: Service DACL Abuse To Hide Services Via Sc.EXE
 2id: a537cfc3-4297-4789-92b5-345bfd845ad0
 3related:
 4    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
 5      type: similar
 6    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
 7      type: similar
 8status: test
 9description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
10references:
11    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
12    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
13    - https://twitter.com/Alh4zr3d/status/1580925761996828672
14    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
15author: Andreas Hunkeler (@Karneades)
16date: 2021/12/20
17modified: 2022/08/08
18tags:
19    - attack.persistence
20    - attack.defense_evasion
21    - attack.privilege_escalation
22    - attack.t1574.011
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - Image|endswith: '\sc.exe'
29        - OriginalFileName: 'sc.exe'
30    selection_cli:
31        CommandLine|contains|all:
32            - 'sdset'
33            # Summary of permissions
34            #   DC: Delete All Child Objects
35            #   LC: List Contents
36            #   WP: Write All Properties
37            #   DT: Delete Subtree
38            #   SD: Delete
39            - 'DCLCWPDTSD'
40    condition: all of selection_*
41falsepositives:
42    - Unknown
43level: high

References

  • Threat hunting in large datasets by clustering security events

    By Tiago Pereira. * Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. * Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. * This post walks through threat hunting on large datasets by


    Read More

  • SANS Cyber Security Certifications & Research

    Offensive Operations, Pen Testing, and Red Teaming, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming November 16, 2023 A Visual Summary of SANS HackFest Summit Check out these ...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Understanding SDDL Syntax

    What follows is an appendix which pieces together several disparate Microsoft documents on the SDDL syntax. The SDDL syntax is important if you do coding of directory security or manually edit a...


    Read More

Related rules

to-top