Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Rule Info

Tags
attack.persistence DEMO attack.t1543.003
Modified
None
Author
Nasreddine Bencherchali (Nextron Systems)
Name
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Description
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Date
2023-02-28 00:00:00
Reference
https://twitter.com/0gtweet/status/1628720819537936386
Id
6c8fbee5-dee8-49bc-851d-c3142d02aa47
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=6c8fbee5-dee8-49bc-851d-c3142d02aa47

Rule History

Commit
Date
Author
Title
7da6ac665
2023-02-28
Nasreddine Bencherchali
fix: apply typo fix suggestions from code review
5689263f3
2023-02-28
Nasreddine Bencherchali
fix: add missing modified
137dcbcc5
2023-02-28
Nasreddine Bencherchali
feat: more updates and fixes
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022