Source: CQURE Academy
Author: Kate Chrzan
URL: https://cqureacademy.com/blog/66-hiding-and-modifying-windows-services/
CQURE HACKS #66 Hiding and Modifying Windows Services with Service Control
ONE SENTENCE SUMMARY:
The guide explains using SDDL to hide Windows services for persistence and detection methods via different tools.
MAIN POINTS:
- SDDL manipulation can hide Windows services for post-incident investigations.
- Use “sc sdshow” to display a service’s SDDL string.
- Modify a service’s SDDL with “sc sdset” to change visibility.
- The DACL section of SDDL controls permissions and visibility.
- Different APIs respond differently based on permission settings.
- “Get-Service” may not show hidden services due to SDDL settings.
- Autoruns detects services by reading the registry, bypassing SDDL restrictions.
- Unhide services by resetting the SDDL to a default descriptor.
- Advanced techniques include DKOM for deeper process hiding.
- SDDL is applicable to many Windows objects beyond services.
TAKEAWAYS:
- SDDL manipulation is crucial for understanding service persistence.
- Autoruns can detect hidden services through the registry.
- Resetting SDDL settings reveals hidden services.
- Different tools respond to hidden services based on API interaction.
- Understanding SDDL enhances cybersecurity incident investigation skills.