Unusual Persistence via Services Registry
Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This
13could be an indication of an adversary attempting to stealthily persist through abnormal service creation or
14modification of an existing service.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Unusual Persistence via Services Registry"
21risk_score = 21
22rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29registry where host.os.type == "windows" and event.type == "change" and
30 registry.path : (
31 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
32 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
33 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL",
34 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
35 ) and not registry.data.strings : (
36 "?:\\windows\\system32\\Drivers\\*.sys",
37 "\\SystemRoot\\System32\\drivers\\*.sys",
38 "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS",
39 "system32\\DRIVERS\\USBSTOR") and
40 not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and
41 not process.executable : (
42 "?:\\Program Files\\*.exe",
43 "?:\\Program Files (x86)\\*.exe",
44 "?:\\Windows\\System32\\svchost.exe",
45 "?:\\Windows\\winsxs\\*\\TiWorker.exe",
46 "?:\\Windows\\System32\\drvinst.exe",
47 "?:\\Windows\\System32\\services.exe",
48 "?:\\Windows\\System32\\msiexec.exe",
49 "?:\\Windows\\System32\\regsvr32.exe")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1543"
57name = "Create or Modify System Process"
58reference = "https://attack.mitre.org/techniques/T1543/"
59[[rule.threat.technique.subtechnique]]
60id = "T1543.003"
61name = "Windows Service"
62reference = "https://attack.mitre.org/techniques/T1543/003/"
63
64
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"
70
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1112"
77name = "Modify Registry"
78reference = "https://attack.mitre.org/techniques/T1112/"
79
80[rule.threat.tactic]
81id = "TA0005"
82name = "Defense Evasion"
83reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Image File Execution Options Injection
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected
- Registry Persistence via AppInit DLL
- Suspicious DLL Loaded for Persistence or Privilege Escalation