
Summary
This detection rule monitors the use of the Windows service control utility, `sc.exe`, which is commonly utilized by threat actors to manipulate service permissions, specifically to create hidden services that cannot be removed or identified by standard means. The rule identifies when `sc.exe` is invoked with specific parameters, such as `sdset`, and checks for the presence of particular permissions indicators often associated with such malicious activities. The aim is to detect and raise alerts for any unauthorized attempts to alter service permissions, a tactic often employed in persistence mechanisms by malware and attackers to evade detection and maintain control over a compromised system. The rule stipulates that detection occurs if the command line includes the specified keywords in conjunction with launching `sc.exe` from the correct image path. This provides high confidence in detecting potentially malicious behavior, aiding incident response teams in identifying and mitigating threats.
Categories
- Windows
- Endpoint
- Infrastructure
Data Sources
- Process
Created: 2021-12-20