Detectionhightest
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 2422d80745-6f2c-46da-826b-77adaededd74windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic2 selectors
detection:
selection_sddl_flag:
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
selection_set_service:
ScriptBlockText|contains|all:
- 'Set-Service '
- 'D;;'
ScriptBlockText|contains:
- ';;;IU'
- ';;;SU'
- ';;;BA'
- ';;;SY'
- ';;;WD'
condition: all of selection_*False Positives
Rare intended use of hidden services
Rare FP could occur due to the non linearity of the ScriptBlockText log
MITRE ATT&CK
Rule Metadata
Rule ID
22d80745-6f2c-46da-826b-77adaededd74
Status
test
Level
high
Type
Detection
Created
Mon Oct 24
Path
rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.011