Service DACL Modification via sc.exe
Adversaries modify a service's DACL (Discretionary Access Control List) via `sc.exe` to deny access to key user groups, potentially making the service unstoppable or hiding it from users and the system, in order to evade defenses and persist.
Attackers can exploit the Windows sc.exe utility to modify service DACLs (Discretionary Access Control Lists), effectively denying access to specific user groups and system accounts. This activity, often employed as a defense evasion tactic, aims to render services unmanageable or conceal them from standard system administration tools. By manipulating DACLs, adversaries can prevent legitimate users and security software from interacting with or terminating malicious services. This technique is particularly concerning as it can lead to persistent malware execution and hinder incident response efforts. The behavior is seen across Windows environments, with attackers targeting access rights for built-in groups like IU (Interactive User), SU (Service User), BA (Built-in Administrators), SY (SYSTEM), and WD (All Users).
Attack Chain
- The attacker gains initial access to the system through unspecified means (e.g., exploitation, social engineering).
- The attacker executes
sc.exewith thesdsetparameter, targeting a specific service. - The attacker crafts the
sdsetcommand to modify the service's DACL, denying access to specific security principals. The command includes arguments likeD;to specify denial ACEs. - The DACL modification string includes access rights that explicitly deny permissions to key groups such as IU, SU, BA, SY, and WD using SID strings.
- The
sc.execommand successfully applies the modified DACL to the targeted service, restricting access for the specified user groups. - Attempts to manage or interact with the service through legitimate tools fail due to the altered permissions.
- The attacker maintains persistence by ensuring the service remains running and unmodifiable.
- The attacker achieves defense evasion by hindering security tools and administrators from detecting or terminating the service.
Impact
Successful exploitation can lead to persistent malware execution as the modified service becomes difficult to manage or terminate. The number of victims can vary, depending on the scope of the initial compromise and the targeted systems. Sectors affected include any organization relying on Windows services. If the attack succeeds, critical services can be rendered unmanageable, causing operational disruption, or malicious services can remain hidden and persistent.
Recommendation
- Deploy the Sigma rule "Service DACL Modification via sc.exe" to your SIEM to detect suspicious
sc.execommand executions modifying DACLs (see rules section). - Enable Sysmon process creation logging to capture the
sc.execommands with thesdsetparameter. - Review existing service configurations and permissions to identify any unauthorized DACL modifications.
- Monitor process execution for
sc.execommands containingsdsetand access rights modifications targeting common user groups such as IU, SU, BA, SY, and WD, as specified in the rule query.
Detection coverage 2
Service DACL Modification via sc.exe
mediumDetects DACL modifications to a service using sc.exe, potentially denying access and hindering management.
Service DACL Modification via sc.exe - Alternate Detection
mediumDetects DACL modifications to a service using sc.exe based on original file name, potentially denying access and hindering management.
Detection queries are available on the platform. Get full rules →