Techniques
Sample rules
Abuse of Service Permissions to Hide Services Via Set-Service
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detects usage of the “Set-Service” powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as “sc.exe”, “Get-Service”…etc. (Works only in powershell 7)
Detection logic
condition: all of selection_*
selection_cmdlet:
CommandLine|contains:
- '-SecurityDescriptorSddl '
- '-sd '
selection_img:
- Image|endswith: \pwsh.exe
- OriginalFileName: pwsh.dll
selection_sddl:
CommandLine|contains|all:
- 'Set-Service '
- DCLCWPDTSD
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detects usage of the “Set-Service” powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as “sc.exe”, “Get-Service”…etc. (Works only in powershell 7)
Detection logic
condition: all of selection_*
selection_sddl_flag:
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
selection_set_service:
ScriptBlockText|contains:
- ;;;IU
- ;;;SU
- ;;;BA
- ;;;SY
- ;;;WD
ScriptBlockText|contains|all:
- 'Set-Service '
- D;;
Abuse of Service Permissions to Hide Services Via Set-Service - PS
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detects usage of the “Set-Service” powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as “sc.exe”, “Get-Service”…etc. (Works only in powershell 7)
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
ScriptBlockText|contains|all:
- 'Set-Service '
- DCLCWPDTSD