← Back to Explore
sigmahighHunting
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Detection Query
selection:
ScriptBlockText|contains|all:
- "Set-Service "
- DCLCWPDTSD
ScriptBlockText|contains:
- "-SecurityDescriptorSddl "
- "-sd "
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-10-17
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.011
Raw Content
title: Abuse of Service Permissions to Hide Services Via Set-Service - PS
id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
related:
- id: 514e4c3a-c77d-4cde-a00f-046425e2301e
type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
- attack.persistence
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1574.011
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Service '
- 'DCLCWPDTSD'
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
condition: selection
falsepositives:
- Rare intended use of hidden services
- Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high