Skip to content

Hide Navigation Hide TOC

Suspicious Service DACL Modification Via Set-Service Cmdlet (a95b9b42-1308-4735-a1af-abb1c5e6f5ac)

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Service DACL Modification Via Set-Service Cmdlet (a95b9b42-1308-4735-a1af-abb1c5e6f5ac) Sigma-Rules Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2