Skip to content

palangosjuze/DetectiveService

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Properties
Properties
 
 
App.config
App.config
 
 
ConsoleApp.csproj
ConsoleApp.csproj
 
 
ConsoleApp.csproj.user
ConsoleApp.csproj.user
 
 
ConsoleApp.sln
ConsoleApp.sln
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 

Repository files navigation

DetectiveService

A tool for blue teams to detect windows service persistence, that was hidden using restrictive DACL's.

This technique is nicely documented at SANS blog: https://www.sans.org/blog/red-team-tactics-hiding-windows-services

Attackers can hide service persistance using restrictive DACL's using sdset command. Then the malicious service is not displayed using sc query or sc qc commands. And you are also unable to stop the malicious services. You also need to find the hidden services name in order to restore original DACL. For this you can use DetectiveService tool to help you track those sneeky services.

How it works (quite simple): It compares what you see using sc query with that registry keys are pressent in SYSTEM\CurrentControlSet\Services. It tries its best to filter out the noise (drivers, service templates etc.).

output

About

A tool for blue teams to detect windows service persistence, that was hidden using restrictive DACL's.

Topics

cybersecurity hidden-services cyberdefense blueteam-tools incidentresponse-devops hidden-service-detection malicious-services-detection

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

DetectiveService v1 Latest
Aug 21, 2025

Packages

 
 
 

Contributors

Languages