Service Security Descriptor Tampering Via Sc.EXE

 1title: Service Security Descriptor Tampering Via Sc.EXE
 2id: 98c5aeef-32d5-492f-b174-64a691896d25
 3related:
 4    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
 5      type: similar
 6    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
 7      type: similar
 8status: test
 9description: Detection of sc.exe utility adding a new service with special permission which hides that service.
10references:
11    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
12    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
13    - https://twitter.com/Alh4zr3d/status/1580925761996828672
14    - https://twitter.com/0gtweet/status/1628720819537936386
15    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
16author: Nasreddine Bencherchali (Nextron Systems)
17date: 2023-02-28
18tags:
19    - attack.persistence
20    - attack.defense-evasion
21    - attack.privilege-escalation
22    - attack.t1574.011
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - Image|endswith: '\sc.exe'
29        - OriginalFileName: 'sc.exe'
30    selection_cli:
31        CommandLine|contains: 'sdset'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

• Threat hunting in large datasets by clustering security events

  

  By Tiago Pereira. * Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. * Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams. * This post walks through threat hunting on large datasets by

  
  Read More

• SANS Cyber Security Certifications & Research

  Blog Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming October 4, 2023 SEC670 Prep Quiz Answers Answers for the SEC670 Prep Quiz. For more details about the co...

  
  Read More

• x.com

  
  Read More

• x.com

  
  Read More

• Understanding SDDL Syntax

  

  What follows is an appendix which pieces together several disparate Microsoft documents on the SDDL syntax. The SDDL syntax is important if you do coding of directory security or manually edit a...

  
  Read More

Related rules

• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Possible Privilege Escalation via Weak Service Permissions
• Service DACL Abuse To Hide Services Via Sc.EXE
• Service Registry Key Read Access Request