Service DACL Modification via sc.exe

This detection identifies the modification of Discretionary Access Control Lists (DACLs) for Windows services using the sc.exe utility. Attackers can leverage this technique to deny access to a service, making it unmanageable or hiding it from system administrators and users. The detection rule focuses on identifying instances where sc.exe is used with the sdset argument, specifically targeting the denial of access for key user groups such as IU, SU, BA, SY, and WD. This activity is indicative of a defense evasion attempt aimed at hindering security tools or preventing remediation. The rule is designed for data generated by Elastic Defend, but also supports integrations with third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, offering broad coverage for detecting this malicious behavior across diverse environments.

Attack Chain

1. An attacker gains initial access to a system through various means (e.g., compromised credentials, phishing).
2. The attacker elevates privileges to gain necessary permissions to modify service configurations.
3. The attacker executes sc.exe with the sdset command to modify the DACL of a targeted service.
4. The sdset command arguments specify the new security descriptor, denying access to specific user groups (e.g., IU, SU, BA, SY, WD).
5. The service becomes inaccessible to the targeted user groups, potentially disrupting legitimate operations or security tools.
6. The attacker may repeat this process for multiple services to further impair system functionality or evade detection.
7. The attacker leverages the disabled or hidden services to maintain persistence or carry out other malicious activities.

Impact

Successful modification of service DACLs can lead to a denial-of-service condition for legitimate users and system administrators. This can impair the functionality of critical security tools, hinder incident response efforts, and provide attackers with a persistent foothold on the compromised system. The hiding of services can also prevent users from identifying and removing malicious services. While the number of victims is not specified in the source, organizations across various sectors are potentially vulnerable to this type of attack.

Recommendation

• Deploy the Sigma rule Service DACL Modification via sc.exe to your SIEM to detect this specific behavior.
• Enable Sysmon process creation logging to provide the necessary data for the Sigma rule to function effectively.
• Investigate any instances where sc.exe is used with the sdset argument and access denial flags, focusing on the targeted user groups (IU, SU, BA, SY, WD).
• Implement strict access controls and monitor for unauthorized attempts to modify service configurations.
• Regularly audit service permissions to identify and remediate any unauthorized changes.
• Review and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.