Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_sc:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sdset:
CommandLine|contains|all:
- 'sdset'
- 'D;' # Deny Access
selection_trustee:
CommandLine|contains:
- ';IU' # Interactively logged-on user
- ';SU' # Service logon user
- ';BA' # Built-in administrators
- ';SY' # Local system
- ';WD' # Everyone
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Sub-techniques
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
Detects similar activity. Both rules may fire on overlapping events.
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Detects similar activity. Both rules may fire on overlapping events.