- false positives are expected from legitimate system administrator scripts or installation utilities. filter known parent image and commandline combinations.

Techniques

T1564

Sample rules

Windows New Service Security Descriptor Set Via Sc.EXE

source: splunk
technicques:
- T1564

Description

The following analytic detects changes in a service security descriptor. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for any process execution involving the “sc.exe” binary with the “sdset” flag targeting any service. This behavior can be legitimate, such as when a user or administrator is configuring a service’s security settings. Investigate appropariate services to determine if the behavior is malicious. If confirmed malicious, this could allow an attacker to escalate their privileges, blind defenses and more.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
        values(Processes.process) as process

FROM datamodel=Endpoint.Processes WHERE
(
    Processes.process_name=sc.exe
    OR
    Processes.original_file_name=sc.exe
)
Processes.process="*sdset *"
BY Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_new_service_security_descriptor_set_via_sc_exe_filter`