
Summary
This detection rule identifies potential privilege escalation attempts in Windows environments where the 'sc.exe' utility is executed by a user with medium integrity privileges. The primary goal of this rule is to monitor instances where a user attempts to modify service configurations, specifically the ImagePath or FailureCommand properties of Windows services. These changes could indicate that a user is trying to escalate privileges through misconfigured service permissions. The rule leverages process creation logs to look for command line invocations that include references to 'sc.exe' coupled with specific parameters commonly associated with service manipulation, such as 'binPath' or 'failure command'. Using the combination of conditions, the rule can identify potential malicious activity while reducing false positives. This detection method is crucial for maintaining the integrity of service configurations and preventing unauthorized access or privilege elevation by regular users.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2019-10-26