Unusual Persistence via Services Registry

Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/07"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
11could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
12modification of an existing service.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unusual Persistence via Services Registry"
19risk_score = 21
20rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Persistence",
27    "Tactic: Defense Evasion",
28    "Data Source: Elastic Endgame",
29    "Data Source: Elastic Defend",
30    "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type == "change" and
37  registry.value : ("ServiceDLL", "ImagePath") and
38  registry.path : (
39      "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
40      "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
41      "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
42      "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
43  ) and not registry.data.strings : (
44      "?:\\windows\\system32\\Drivers\\*.sys",
45      "\\SystemRoot\\System32\\drivers\\*.sys",
46      "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
47      "\\??\\?:\\Windows\\syswow64\\*.sys",
48      "system32\\DRIVERS\\USBSTOR") and
49  not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
50  not process.executable : (
51      "?:\\Program Files\\*.exe",
52      "?:\\Program Files (x86)\\*.exe",
53      "?:\\Windows\\System32\\svchost.exe",
54      "?:\\Windows\\winsxs\\*\\TiWorker.exe",
55      "?:\\Windows\\System32\\drvinst.exe",
56      "?:\\Windows\\System32\\services.exe",
57      "?:\\Windows\\System32\\msiexec.exe",
58      "?:\\Windows\\System32\\regsvr32.exe",
59      "?:\\Windows\\System32\\WaaSMedicAgent.exe"
60  )
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1543"
68name = "Create or Modify System Process"
69reference = "https://attack.mitre.org/techniques/T1543/"
70[[rule.threat.technique.subtechnique]]
71id = "T1543.003"
72name = "Windows Service"
73reference = "https://attack.mitre.org/techniques/T1543/003/"
74
75
76
77[rule.threat.tactic]
78id = "TA0003"
79name = "Persistence"
80reference = "https://attack.mitre.org/tactics/TA0003/"
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1112"
85name = "Modify Registry"
86reference = "https://attack.mitre.org/techniques/T1112/"
87
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top