Skip to content

Hide Navigation Hide TOC

Service DACL Abuse To Hide Services Via Sc.EXE (a537cfc3-4297-4789-92b5-345bfd845ad0)

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Cluster A Galaxy A Cluster B Galaxy B Level
Service DACL Abuse To Hide Services Via Sc.EXE (a537cfc3-4297-4789-92b5-345bfd845ad0) Sigma-Rules Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c) Attack Pattern 1
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2