Unusual Persistence via Services Registry

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
 11could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
 12modification of an existing service.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.registry-*",
 17    "endgame-*",
 18    "logs-windows.sysmon_operational-*",
 19    "winlogbeat-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Unusual Persistence via Services Registry"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Unusual Persistence via Services Registry
 32
 33Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity.
 34
 35### Possible investigation steps
 36
 37- Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications.
 38- Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious.
 39- Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive.
 40- Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms.
 41- Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration.
 42- Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques.
 43
 44### False positive analysis
 45
 46- Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule.
 47- System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list.
 48- Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated.
 49- Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions.
 50- Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions.
 51
 52### Response and remediation
 53
 54- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 55- Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services.
 56- Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations.
 57- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts.
 58- Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future.
 59- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 60- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases."""
 61risk_score = 21
 62rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
 63severity = "low"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Persistence",
 69    "Tactic: Defense Evasion",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81registry where host.os.type == "windows" and event.type == "change" and
 82  registry.value : ("ServiceDLL", "ImagePath") and
 83  registry.path : (
 84      "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
 85      "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
 86      "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
 87      "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
 88      "MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
 89      "MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
 90  ) and not registry.data.strings : (
 91      "?:\\windows\\system32\\Drivers\\*.sys",
 92      "\\SystemRoot\\System32\\drivers\\*.sys",
 93      "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
 94      "\\??\\?:\\Windows\\syswow64\\*.sys",
 95      "system32\\DRIVERS\\USBSTOR") and
 96  not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
 97  not process.executable : (
 98      "?:\\Program Files\\*.exe",
 99      "?:\\Program Files (x86)\\*.exe",
100      "?:\\Windows\\System32\\svchost.exe",
101      "?:\\Windows\\winsxs\\*\\TiWorker.exe",
102      "?:\\Windows\\System32\\drvinst.exe",
103      "?:\\Windows\\System32\\services.exe",
104      "?:\\Windows\\System32\\msiexec.exe",
105      "?:\\Windows\\System32\\regsvr32.exe",
106      "?:\\Windows\\System32\\WaaSMedicAgent.exe"
107  )
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1543"
115name = "Create or Modify System Process"
116reference = "https://attack.mitre.org/techniques/T1543/"
117[[rule.threat.technique.subtechnique]]
118id = "T1543.003"
119name = "Windows Service"
120reference = "https://attack.mitre.org/techniques/T1543/003/"
121
122
123
124[rule.threat.tactic]
125id = "TA0003"
126name = "Persistence"
127reference = "https://attack.mitre.org/tactics/TA0003/"
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1112"
132name = "Modify Registry"
133reference = "https://attack.mitre.org/techniques/T1112/"
134
135
136[rule.threat.tactic]
137id = "TA0005"
138name = "Defense Evasion"
139reference = "https://attack.mitre.org/tactics/TA0005/"