Service Security Descriptor Tampering Via Sc.EXE

Rule Info

Tags
attack.persistence attack.privilege_escalation DEMO attack.defense_evasion attack.t1574.011
Modified
None
Author
Nasreddine Bencherchali (Nextron Systems)
Name
Service Security Descriptor Tampering Via Sc.EXE
Description
Detection of sc.exe utility adding a new service with special permission which hides that service.
Date
2023-02-28 00:00:00
Reference
https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
Id
98c5aeef-32d5-492f-b174-64a691896d25
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=98c5aeef-32d5-492f-b174-64a691896d25

Rule History

Commit
Date
Author
Title
7da6ac665
2023-02-28
Nasreddine Bencherchali
fix: apply typo fix suggestions from code review
1353d5748
2023-02-28
Nasreddine Bencherchali
fix: issues with CICD
137dcbcc5
2023-02-28
Nasreddine Bencherchali
feat: more updates and fixes
2ef681291
2023-02-14
Nasreddine Bencherchali
feat: more rules updates
1f8e37351
2022-10-28
frack113
order yaml
b5500687f
2022-10-17
Nasreddine Bencherchali
Add Hide Service Via SDDL Rule
b905df6bc
2022-08-09
Nasreddine Bencherchali
Updates + New Rules
2e689eca5
2022-05-13
Nasreddine Bencherchali
Quick Fix
d8a3ca691
2022-05-12
Nasreddine Bencherchali
Updated Rules to Use OriginalFileName
8bb3379b6
2022-02-22
frack113
Normalization of rule names
090e0304d
2021-12-20
Andreas Hunkeler
rule: abuse of permissions to hide services
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022