Detection rules › Sigma
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
| Privilege Escalation | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
| Defense Evasion | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: all of selection_sddl_flag
or:
ScriptBlockText|contains: '-SecurityDescriptorSddl '
ScriptBlockText|contains: '-sd '
Stage 2: all of selection_set_service
or:
ScriptBlockText|contains: ';;;BA'
ScriptBlockText|contains: ';;;IU'
ScriptBlockText|contains: ';;;SU'
ScriptBlockText|contains: ';;;SY'
ScriptBlockText|contains: ';;;WD'
ScriptBlockText|contains: 'D;;'
ScriptBlockText|contains: 'Set-Service '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ScriptBlockText | match |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Abuse of Service Permissions to Hide Services Via Set-Service - PS (adds 2 filters)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential PowerShell Obfuscation via Invalid Escape Sequences (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Character Array Reconstruction (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via High Numeric Character Proportion (drops 1 filter this rule applies)
- Potential Dynamic IEX Reconstruction via Environment Variables (drops 1 filter this rule applies)
- Dynamic IEX Reconstruction via Method String Access (drops 1 filter this rule applies)
- PowerShell Obfuscation via Negative Index String Reversal (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Reverse Keywords (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via String Concatenation (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via String Reordering (drops 1 filter this rule applies)
- Potential PowerShell Obfuscation via Special Character Overuse (drops 1 filter this rule applies)