Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains|all:
- 'sdset'
# Summary of permissions
# DC: Delete All Child Objects
# LC: List Contents
# WP: Write All Properties
# DT: Delete Subtree
# SD: Delete
- 'DCLCWPDTSD'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Detects similar activity. Both rules may fire on overlapping events.
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
Detects similar activity. Both rules may fire on overlapping events.