Detectionhightest
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Feb 28Updated Wed Oct 226c8fbee5-dee8-49bc-851d-c3142d02aa47windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_sc:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sdset:
CommandLine|contains|all:
- 'sdset'
- 'A;' # Allow Access
selection_trustee:
CommandLine|contains:
- ';IU' # Interactively logged-on user
- ';SU' # Service logon user
- ';BA' # Built-in administrators
- ';SY' # Local system
- ';WD' # Everyone
filter_optional_hexnode:
ParentImage: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: all of selection_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
6c8fbee5-dee8-49bc-851d-c3142d02aa47
Status
test
Level
high
Type
Detection
Created
Tue Feb 28
Modified
Wed Oct 22
Path
rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1543.003