Suspicious Modification of Service Control Manager Permissions Via Sc.EXE

Rule Info

Name
Suspicious Modification of Service Control Manager Permissions Via Sc.EXE
Author
Florian Roth
Description
Detects changes to the Service Control Manager (SCManager) security descriptor that grant excessive permissions (e.g., Everyone group) to control system services. This behavior can indicate an attempt at local privilege escalation by allowing unauthorized users to manipulate critical services.
Date
2024-09-19 00:00:00
Modified
None
Id
5653d2da-b52d-49f5-ba03-6030902bd1ce
Tags
attack.privilege-escalation
Type
Nextron Sigma feed only (private)

Rule History