EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

MITRE ATT&CK

T1543.003
privilege-escalationpersistence

Detection Query

selection_sc:
  - Image|endswith: \sc.exe
  - OriginalFileName: sc.exe
selection_sdset:
  CommandLine|contains|all:
    - sdset
    - D;
selection_trustee:
  CommandLine|contains:
    - ;IU
    - ;SU
    - ;BA
    - ;SY
    - ;WD
condition: all of selection_*

Author

Jonhnathan Ribeiro, oscd.community

Created

2020-10-16

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1543.003
Raw Content
title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
related:
    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
      type: similar
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
      type: similar
status: test
description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
references:
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Jonhnathan Ribeiro, oscd.community
date: 2020-10-16
modified: 2023-02-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_sdset:
        CommandLine|contains|all:
            - 'sdset'
            - 'D;' # Deny Access
    selection_trustee:
        CommandLine|contains:
            - ';IU' # Interactively logged-on user
            - ';SU' # Service logon user
            - ';BA' # Built-in administrators
            - ';SY' # Local system
            - ';WD' # Everyone
    condition: all of selection_*
falsepositives:
    - Unknown
level: high