Find sigma rule

Attack: Hide Artifacts

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

MITRE

Tactic

defense-evasion

technique

T1564

Test : Create and Hide a Service with sc.exe

OS

windows

Description:

The following technique utilizes sc.exe and sdset to change the security descriptor of a service and “hide” it from Get-Service or sc query.

Upon successful execution, sc.exe creates a new service changes the security descriptor.

https://twitter.com/Alh4zr3d/status/1580925761996828672 https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format

Executor

command_prompt

Sigma Rule

proc_creation_win_sc_sdset_hide_sevices.yml (id: a537cfc3-4297-4789-92b5-345bfd845ad0)
proc_creation_win_sc_sdset_deny_service_access.yml (id: 99cf1e02-00fb-4c0d-8375-563f978dfd37)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test