Unusual Persistence via Services Registry
Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
13could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
14modification of an existing service.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Unusual Persistence via Services Registry"
21risk_score = 21
22rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
23severity = "low"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: Microsoft Defender for Endpoint",
34 "Data Source: SentinelOne",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type == "change" and
41 registry.value : ("ServiceDLL", "ImagePath") and
42 registry.path : (
43 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
44 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
45 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
46 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
47 "MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
48 "MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
49 ) and not registry.data.strings : (
50 "?:\\windows\\system32\\Drivers\\*.sys",
51 "\\SystemRoot\\System32\\drivers\\*.sys",
52 "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
53 "\\??\\?:\\Windows\\syswow64\\*.sys",
54 "system32\\DRIVERS\\USBSTOR") and
55 not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
56 not process.executable : (
57 "?:\\Program Files\\*.exe",
58 "?:\\Program Files (x86)\\*.exe",
59 "?:\\Windows\\System32\\svchost.exe",
60 "?:\\Windows\\winsxs\\*\\TiWorker.exe",
61 "?:\\Windows\\System32\\drvinst.exe",
62 "?:\\Windows\\System32\\services.exe",
63 "?:\\Windows\\System32\\msiexec.exe",
64 "?:\\Windows\\System32\\regsvr32.exe",
65 "?:\\Windows\\System32\\WaaSMedicAgent.exe"
66 )
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1543"
74name = "Create or Modify System Process"
75reference = "https://attack.mitre.org/techniques/T1543/"
76[[rule.threat.technique.subtechnique]]
77id = "T1543.003"
78name = "Windows Service"
79reference = "https://attack.mitre.org/techniques/T1543/003/"
80
81
82
83[rule.threat.tactic]
84id = "TA0003"
85name = "Persistence"
86reference = "https://attack.mitre.org/tactics/TA0003/"
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1112"
91name = "Modify Registry"
92reference = "https://attack.mitre.org/techniques/T1112/"
93
94
95[rule.threat.tactic]
96id = "TA0005"
97name = "Defense Evasion"
98reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Image File Execution Options Injection
- Installation of Security Support Provider
- Registry Persistence via AppInit DLL
- Suspicious ImagePath Service Creation
- Suspicious Startup Shell Folder Modification