Unusual Persistence via Services Registry
Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
11could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
12modification of an existing service.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unusual Persistence via Services Registry"
19risk_score = 21
20rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Persistence",
27 "Tactic: Defense Evasion",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30 "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type == "change" and
37 registry.path : (
38 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
39 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
40 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
41 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
42 ) and not registry.data.strings : (
43 "?:\\windows\\system32\\Drivers\\*.sys",
44 "\\SystemRoot\\System32\\drivers\\*.sys",
45 "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
46 "system32\\DRIVERS\\USBSTOR") and
47 not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
48 not process.executable : (
49 "?:\\Program Files\\*.exe",
50 "?:\\Program Files (x86)\\*.exe",
51 "?:\\Windows\\System32\\svchost.exe",
52 "?:\\Windows\\winsxs\\*\\TiWorker.exe",
53 "?:\\Windows\\System32\\drvinst.exe",
54 "?:\\Windows\\System32\\services.exe",
55 "?:\\Windows\\System32\\msiexec.exe",
56 "?:\\Windows\\System32\\regsvr32.exe")
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1543"
64name = "Create or Modify System Process"
65reference = "https://attack.mitre.org/techniques/T1543/"
66[[rule.threat.technique.subtechnique]]
67id = "T1543.003"
68name = "Windows Service"
69reference = "https://attack.mitre.org/techniques/T1543/003/"
70
71
72
73[rule.threat.tactic]
74id = "TA0003"
75name = "Persistence"
76reference = "https://attack.mitre.org/tactics/TA0003/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1112"
81name = "Modify Registry"
82reference = "https://attack.mitre.org/techniques/T1112/"
83
84
85[rule.threat.tactic]
86id = "TA0005"
87name = "Defense Evasion"
88reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Image File Execution Options Injection
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected
- Registry Persistence via AppInit DLL
- Suspicious ImagePath Service Creation