Skip to content

Hide Navigation Hide TOC

Allow Service Access Using Security Descriptor Tampering Via Sc.EXE (6c8fbee5-dee8-49bc-851d-c3142d02aa47)

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Allow Service Access Using Security Descriptor Tampering Via Sc.EXE (6c8fbee5-dee8-49bc-851d-c3142d02aa47) Sigma-Rules 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2