Suspicious Modification of Service Control Manager Permissions Via Sc.EXE

Rule Info

Name
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Author
Florian Roth
Description
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
Reference
https://x.com/akaclandestine/status/1832917886261973202
Date
2024-09-19 00:00:00
Modified
None
Id
5653d2da-b52d-49f5-ba03-6030902bd1ce
Tags
attack.privilege-escalation
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022