Unusual Persistence via Services Registry
Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
11could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
12modification of an existing service.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unusual Persistence via Services Registry"
19risk_score = 21
20rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Persistence",
27 "Tactic: Defense Evasion",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30 "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type == "change" and
37 registry.value : ("ServiceDLL", "ImagePath") and
38 registry.path : (
39 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
40 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
41 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
42 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
43 ) and not registry.data.strings : (
44 "?:\\windows\\system32\\Drivers\\*.sys",
45 "\\SystemRoot\\System32\\drivers\\*.sys",
46 "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
47 "\\??\\?:\\Windows\\syswow64\\*.sys",
48 "system32\\DRIVERS\\USBSTOR") and
49 not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
50 not process.executable : (
51 "?:\\Program Files\\*.exe",
52 "?:\\Program Files (x86)\\*.exe",
53 "?:\\Windows\\System32\\svchost.exe",
54 "?:\\Windows\\winsxs\\*\\TiWorker.exe",
55 "?:\\Windows\\System32\\drvinst.exe",
56 "?:\\Windows\\System32\\services.exe",
57 "?:\\Windows\\System32\\msiexec.exe",
58 "?:\\Windows\\System32\\regsvr32.exe",
59 "?:\\Windows\\System32\\WaaSMedicAgent.exe"
60 )
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1543"
68name = "Create or Modify System Process"
69reference = "https://attack.mitre.org/techniques/T1543/"
70[[rule.threat.technique.subtechnique]]
71id = "T1543.003"
72name = "Windows Service"
73reference = "https://attack.mitre.org/techniques/T1543/003/"
74
75
76
77[rule.threat.tactic]
78id = "TA0003"
79name = "Persistence"
80reference = "https://attack.mitre.org/tactics/TA0003/"
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1112"
85name = "Modify Registry"
86reference = "https://attack.mitre.org/techniques/T1112/"
87
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Image File Execution Options Injection
- Suspicious ImagePath Service Creation
- Suspicious Startup Shell Folder Modification
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected