Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

Rule Info

Name
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Reference
https://twitter.com/0gtweet/status/1628720819537936386
Date
2023-02-28 00:00:00
Modified
None
Id
6c8fbee5-dee8-49bc-851d-c3142d02aa47
Tags
attack.persistence attack.t1543.003 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=6c8fbee5-dee8-49bc-851d-c3142d02aa47

Rule History

Author
Title
Date
Commit
github-actions[bot]
chore: promote older rules status from `experimental` to `test` (#4651)
2024-01-01
c3fe2da99
Nasreddine Bencherchali
fix: apply typo fix suggestions from code review
2023-02-28
7da6ac665
Nasreddine Bencherchali
fix: add missing modified
2023-02-28
5689263f3
Nasreddine Bencherchali
feat: more updates and fixes
2023-02-28
137dcbcc5
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022