{
	"id": "32c8e43e-e382-4445-9b60-ce7745cff5e9",
	"created_at": "2026-04-06T00:12:19.969885Z",
	"updated_at": "2026-04-10T13:11:51.026715Z",
	"deleted_at": null,
	"sha1_hash": "cdd3deb094dbc4a1aa3d0c01f250a83556491b50",
	"title": "Defense Spotlight: Finding Hidden Windows Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 204597,
	"plain_text": "Defense Spotlight: Finding Hidden Windows Services\r\nBy Joshua Wright\r\nPublished: 2020-10-14 · Archived: 2026-04-02 11:53:57 UTC\r\nIn the previous article, I wrote about a technique that can be used to hide a Windows service from view using\r\nstandard service enumeration techniques including Get-Service, sc query, and services.exe:\r\nPS C:\\WINDOWS\\system32\u003e \u0026 $env:SystemRoot\\System32\\sc.exe sdset SWCUEngine \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTS\r\n[SC] SetServiceObjectSecurity SUCCESS\r\nPS C:\\WINDOWS\\system32\u003e Get-Service | Select-Object Name | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\WINDOWS\\system32\u003e Get-WmiObject Win32_Service | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\WINDOWS\\system32\u003e \u0026 $env:SystemRoot\\System32\\sc.exe query | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\WINDOWS\\system32\u003e\r\nAfter establishing access to a system, an attacker can use this as a means to obtain persistent access to the host\r\nusing the Command \u0026 Control (C2) mechanism of their choosing, evading typical service enumeration\r\ntechniques.\r\nIf an attacker hides a service using the sc sdset technique, Windows will generate a logging event: Security log\r\nEvent ID 4674:\r\nPS C:\\WINDOWS\\system32\u003e $dacl=\"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;\r\nPS C:\\WINDOWS\\system32\u003e Clear-Eventlog -Logname Security ; \u0026 $env:SystemRoot\\System32\\sc.exe sdset SWCUEngine $d\r\n[SC] SetServiceObjectSecurity SUCCESS\r\nEventID : 4674\r\nMessage : An operation was attempted on a privileged object.\r\n Subject:\r\n Security ID: S-1-5-21-2977773840-2930198165-1551093962-1000\r\n Account Name: Sec504\r\n Account Domain: SEC504STUDENT\r\n Logon ID: 0x35aec\r\n Object:\r\n Object Server: SC Manager\r\n Object Type: SERVICE OBJECT\r\n Object Name: SWCUEngine\r\n Object Handle: 0xffffbb06ee98e928\r\n Process Information:\r\n Process ID: 0x25c\r\nhttps://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/\r\nPage 1 of 4\n\nProcess Name: C:\\Windows\\System32\\services.exe\r\n Requested Operation:\r\n Desired Access: %%1539\r\n Privileges: SeSecurityPrivilege\r\nEventID : 1102\r\nMessage : The audit log was cleared.\r\n Subject:\r\n Security ID: S-1-5-21-2977773840-2930198165-1551093962-1000\r\n Account Name: Sec504\r\n Domain Name: SEC504STUDENT\r\n Logon ID: 0x35aec\r\nPS C:\\WINDOWS\\system32\u003e\r\nUsing the Splunk Boss of the SOC v3 data (courtesy of the amazing Dave Herrald), it appears that Security Event\r\nID 4674 An operation was attempted on a privileged object events are pretty rare indeed, particularly when\r\napplied to the services.exe process. This seems like a good candidate for a DeepBlueCLI event detect.\r\nFirst, you'll need to download DeepBlueCLI. This is easiest if you've already installed Git on your system:\r\nPS C:\\\u003e mkdir c:\\tools\r\nPS C:\\\u003e cd tools\r\nPS C:\\tools\u003e git clone https://github.com/sans-blue-team/DeepBlueCLI.git\r\nCloning into 'DeepBlueCLI'...\r\nremote: Enumerating objects: 31, done.\r\nremote: Counting objects: 100% (31/31), done.\r\nremote: Compressing objects: 100% (21/21), done.\r\nReceiving objects: 100% (493/493), 5.56 MiB | 13.85 MiB/s, done.\r\nResolving deltas: 100% (271/271), done.\r\nBy default, DeepBlue.ps1 reads from the local Security log, which will identify this attack:\r\nPS C:\\tools\u003e cd .\\DeepBlueCLI\\\r\nPS C:\\tools\\DeepBlueCLI\u003e .\\DeepBlue.ps1\r\nDate : 10/13/2020 10:59:21 AM\r\nLog : Security\r\nEventID : 4674\r\nMessage : Possible Hidden Service Attempt\r\nResults : User requested to modify the Dynamic Access Control (DAC) permissions of a service,\r\n possibly to hide it from view.\r\n User: Sec504\r\n Target service: SWCUEngine\r\nhttps://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/\r\nPage 2 of 4\n\nDesired Access: WRITE_DAC\r\nCommand :\r\nDecoded :\r\nA sample EVTX log capture is also available for testing.\r\nThis detect is useful since it also reveals the target service name. You can confirm that the service is hidden by\r\nattempting to enumerate it and to interrogate it directly. First, we confirm that the service is hidden:\r\nPS C:\\tools\\DeepBlueCLI\u003e Get-Service | Select-Object Name | Select-String -Pattern 'SWCUEngine'\r\nPS C:\\tools\\DeepBlueCLI\u003e\r\nIn this output we see that the service name is not displayed in the output of Get-Service. Since we know the name\r\nof the service from the DeepBlueCLI output though, we can attempt to control the service using Set-Service:\r\nPS C:\\tools\\DeepBlueCLI\u003e Set-Service -Name SWCUEngine -Status Stopped\r\nSet-Service : Service 'SWCUEngine (SWCUEngine)' cannot be configured due to the following error: Access is denie\r\nAt line:1 char:1\r\n...\r\nNotice how in the Set-Service command, the error message is Access is denied. Compared to a service that really\r\ndoes not exist, shown below:\r\nPS C:\\tools\\DeepBlueCLI\u003e Set-Service -Name JoshNonexistentService -Status Stopped\r\nSet-Service : Service JoshNonexistentService was not found on computer '.'.\r\nAt line:1 char:1\r\n...\r\nThe message Service ... was not found indicates that there really is no service, while the message Access is denied\r\ntells us that it does exist, and is hidden on the local system.\r\nThis detection mechanism is useful, but is still problematic. What if an attacker clears the event log? What if an\r\nattacker purges the log entry? What if the event log information rolls over prior to detection?\r\nFortunately, Windows also maintains a registry key for each service in\r\nHKLM\\System\\CurrentControlSet\\Services. We can cross-reference the registry key list with the service name list\r\nfrom Get-Service to identify any outliers. This gets a little complicated since there are multiple entries in the\r\nServices registry key for Windows drivers (not services) and duplicate per-user services with a locally unique\r\nidentifier (LUID) at the end of the service name.\r\nhttps://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/\r\nPage 3 of 4\n\nPS C:\\\u003e Compare-Object `\r\n\u003e\u003e -ReferenceObject (Get-Service |\r\n\u003e\u003e Select-Object -ExpandProperty Name |\r\n\u003e\u003e % { $_ -replace \"_[0-9a-f]{2,8}$\" } ) `\r\n\u003e\u003e -DifferenceObject (gci -path hklm:\\system\\currentcontrolset\\services |\r\n\u003e\u003e % { $_.Name -Replace \"HKEY_LOCAL_MACHINE\\\\\",\"HKLM:\\\" } |\r\n\u003e\u003e ? { Get-ItemProperty -Path \"$_\" -name objectname -erroraction 'ignore' } |\r\n\u003e\u003e % { $_.substring(40) }) -PassThru |\r\n\u003e\u003e ? { $_.sideIndicator -eq \"=\u003e\" }\r\nSWCUEngine\r\nWUDFWpdFs\r\nPS C:\\\u003e\r\nBy enumerating the registry for services and comparing against the output of Get-Service, we can identify hidden\r\nservices. The output here reveals SWCUEngine as hidden, but it also reveals WUDFWpdFs (Microsoft Windows\r\nPortable Devices file system driver) as hidden as well. We can confirm this by using the Set-Service command as\r\nshown earlier in this article:\r\nPS C:\\\u003e Set-Service -Name WUDFWpdFs -Status Stopped\r\nSet-Service : Service 'WUDFWpdFs (WUDFWpdFs)' cannot be stopped due to the following error: Cannot stop WUDFWpdF\r\nAt line:1 char:1\r\n...\r\nAgain here, we can confirm that WUDFWpdFs is a service from the lack of a was not found on computer error\r\nmessage.\r\nHiding Windows services is a nice opportunity for an adversary to try to avoid detection, but once defenders know\r\nthat this is possible, then it becomes an easy detect. Consider adding the checkhiddensvc.ps1 script to your next\r\nthreat-hunting exercise.\r\nSpecial thanks to Jon Gorenflo for help in researching detection methods for this article!\r\nSource: https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/\r\nhttps://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/"
	],
	"report_names": [
		"defense-spotlight-finding-hidden-windows-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cdd3deb094dbc4a1aa3d0c01f250a83556491b50.pdf",
		"text": "https://archive.orkl.eu/cdd3deb094dbc4a1aa3d0c01f250a83556491b50.txt",
		"img": "https://archive.orkl.eu/cdd3deb094dbc4a1aa3d0c01f250a83556491b50.jpg"
	}
}