LoFP LoFP / rare intended use of hidden services

Techniques

Sample rules

Abuse of Service Permissions to Hide Services Via Set-Service

Description

Detects usage of the “Set-Service” powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as “sc.exe”, “Get-Service”…etc. (Works only in powershell 7)

Detection logic

condition: all of selection_*
selection_cmdlet:
  CommandLine|contains:
  - '-SecurityDescriptorSddl '
  - '-sd '
selection_img:
- Image|endswith: \pwsh.exe
- OriginalFileName: pwsh.dll
selection_sddl:
  CommandLine|contains|all:
  - 'Set-Service '
  - DCLCWPDTSD

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

Description

Detects usage of the “Set-Service” powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as “sc.exe”, “Get-Service”…etc. (Works only in powershell 7)

Detection logic

condition: all of selection_*
selection_sddl_flag:
  ScriptBlockText|contains:
  - '-SecurityDescriptorSddl '
  - '-sd '
selection_set_service:
  ScriptBlockText|contains:
  - ;;;IU
  - ;;;SU
  - ;;;BA
  - ;;;SY
  - ;;;WD
  ScriptBlockText|contains|all:
  - 'Set-Service '
  - D;;

Abuse of Service Permissions to Hide Services Via Set-Service - PS

Description

Detects usage of the “Set-Service” powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as “sc.exe”, “Get-Service”…etc. (Works only in powershell 7)

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - '-SecurityDescriptorSddl '
  - '-sd '
  ScriptBlockText|contains|all:
  - 'Set-Service '
  - DCLCWPDTSD