Unusual Persistence via Services Registry

Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
 13could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
 14modification of an existing service.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Unusual Persistence via Services Registry"
 21risk_score = 21
 22rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
 23severity = "low"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Persistence",
 29    "Tactic: Defense Evasion",
 30    "Data Source: Elastic Endgame",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon",
 33    "Data Source: Microsoft Defender for Endpoint",
 34    "Data Source: SentinelOne",
 35    "Resources: Investigation Guide",
 36]
 37timestamp_override = "event.ingested"
 38type = "eql"
 39
 40query = '''
 41registry where host.os.type == "windows" and event.type == "change" and
 42  registry.value : ("ServiceDLL", "ImagePath") and
 43  registry.path : (
 44      "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
 45      "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
 46      "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
 47      "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
 48      "MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
 49      "MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
 50  ) and not registry.data.strings : (
 51      "?:\\windows\\system32\\Drivers\\*.sys",
 52      "\\SystemRoot\\System32\\drivers\\*.sys",
 53      "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
 54      "\\??\\?:\\Windows\\syswow64\\*.sys",
 55      "system32\\DRIVERS\\USBSTOR") and
 56  not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
 57  not process.executable : (
 58      "?:\\Program Files\\*.exe",
 59      "?:\\Program Files (x86)\\*.exe",
 60      "?:\\Windows\\System32\\svchost.exe",
 61      "?:\\Windows\\winsxs\\*\\TiWorker.exe",
 62      "?:\\Windows\\System32\\drvinst.exe",
 63      "?:\\Windows\\System32\\services.exe",
 64      "?:\\Windows\\System32\\msiexec.exe",
 65      "?:\\Windows\\System32\\regsvr32.exe",
 66      "?:\\Windows\\System32\\WaaSMedicAgent.exe"
 67  )
 68'''
 69note = """## Triage and analysis
 70
 71> **Disclaimer**:
 72> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 73
 74### Investigating Unusual Persistence via Services Registry
 75
 76Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity.
 77
 78### Possible investigation steps
 79
 80- Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications.
 81- Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious.
 82- Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive.
 83- Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms.
 84- Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration.
 85- Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques.
 86
 87### False positive analysis
 88
 89- Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule.
 90- System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list.
 91- Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated.
 92- Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions.
 93- Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions.
 94
 95### Response and remediation
 96
 97- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 98- Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services.
 99- Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations.
100- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts.
101- Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future.
102- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
103- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1543"
110name = "Create or Modify System Process"
111reference = "https://attack.mitre.org/techniques/T1543/"
112[[rule.threat.technique.subtechnique]]
113id = "T1543.003"
114name = "Windows Service"
115reference = "https://attack.mitre.org/techniques/T1543/003/"
116
117
118
119[rule.threat.tactic]
120id = "TA0003"
121name = "Persistence"
122reference = "https://attack.mitre.org/tactics/TA0003/"
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1112"
127name = "Modify Registry"
128reference = "https://attack.mitre.org/techniques/T1112/"
129
130
131[rule.threat.tactic]
132id = "TA0005"
133name = "Defense Evasion"
134reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Unusual Persistence via Services Registry

Windows services are crucial for running background processes. Adversaries may exploit this by directly altering service registry keys to maintain persistence, bypassing standard APIs. The detection rule identifies such anomalies by monitoring changes to specific registry paths and filtering out legitimate processes, thus highlighting potential unauthorized service modifications indicative of malicious activity.

Possible investigation steps

  • Review the specific registry paths and values that triggered the alert, focusing on "ServiceDLL" and "ImagePath" within the specified registry paths to identify any unauthorized or suspicious modifications.
  • Examine the process responsible for the registry change, paying attention to the process name and executable path, to determine if it is a known legitimate process or potentially malicious.
  • Cross-reference the process executable path against the list of known legitimate paths excluded in the query to ensure it is not a false positive.
  • Investigate the historical behavior of the process and any associated files or network activity to identify patterns indicative of malicious intent or persistence mechanisms.
  • Check for any recent changes or anomalies in the system's service configurations that could correlate with the registry modifications, indicating potential unauthorized service creation or alteration.
  • Consult threat intelligence sources or databases to determine if the process or registry changes are associated with known malware or adversary techniques.

False positive analysis

  • Legitimate software installations or updates may modify service registry keys directly. Users can create exceptions for known software update processes by excluding their executables from the detection rule.
  • System maintenance tools like Process Explorer may trigger false positives when they interact with service registry keys. Exclude these tools by adding their process names and paths to the exception list.
  • Drivers installed by trusted hardware peripherals might alter service registry keys. Users should identify and exclude these driver paths if they are known to be safe and frequently updated.
  • Custom enterprise applications that require direct registry modifications for service management can be excluded by specifying their executable paths in the rule exceptions.
  • Regular system processes such as svchost.exe or services.exe are already excluded, but ensure any custom scripts or automation tools that mimic these processes are also accounted for in the exceptions.

Response and remediation

  • Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Terminate any suspicious processes identified in the alert that are not part of legitimate applications or services.
  • Restore the modified registry keys to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the service configurations.
  • Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional malicious software or artifacts.
  • Review and update endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
  • Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.

Related rules

to-top