Skip to content

Hide Navigation Hide TOC

Deny Service Access Using Security Descriptor Tampering Via Sc.EXE (99cf1e02-00fb-4c0d-8375-563f978dfd37)

Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Deny Service Access Using Security Descriptor Tampering Via Sc.EXE (99cf1e02-00fb-4c0d-8375-563f978dfd37) Sigma-Rules 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2