Suspicious ImagePath Service Creation

  1[metadata]
  2creation_date = "2020/11/23"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to
 11stealthily persist or escalate privileges through abnormal service creation.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.registry-*",
 16    "endgame-*",
 17    "logs-windows.sysmon_operational-*",
 18    "winlogbeat-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Suspicious ImagePath Service Creation"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Suspicious ImagePath Service Creation
 31
 32Windows services are crucial for running background processes. Adversaries exploit this by creating or modifying services with malicious ImagePath values to gain persistence or escalate privileges. The detection rule monitors registry changes to ImagePath entries, flagging unusual patterns like command shells or named pipes, which are often used in stealthy attacks. This helps identify and mitigate potential threats early.
 33
 34### Possible investigation steps
 35
 36- Review the registry event logs to identify the specific ImagePath value that triggered the alert, focusing on entries with command shells or named pipes, such as those containing "%COMSPEC%*" or "*\\\\.\\\\pipe\\\\*".
 37- Investigate the associated service name and description in the registry path "HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath" to determine if it is a legitimate service or potentially malicious.
 38- Check the creation or modification timestamp of the suspicious ImagePath entry to correlate with other system events or user activities around the same time.
 39- Analyze the parent process and user account responsible for the registry change to assess if it aligns with expected behavior or if it indicates unauthorized access.
 40- Search for related network activity or connections, especially those involving named pipes, to identify any lateral movement or data exfiltration attempts.
 41- Cross-reference the alert with threat intelligence sources to determine if the ImagePath value or associated service is linked to known malware or adversary techniques.
 42
 43### False positive analysis
 44
 45- Legitimate software updates or installations may modify ImagePath values, triggering alerts. Users can create exceptions for known software update processes to reduce noise.
 46- System administrators might intentionally change service configurations for maintenance or optimization. Document and exclude these planned changes to prevent false positives.
 47- Some enterprise applications use named pipes for inter-process communication, which could be flagged. Identify and whitelist these applications to avoid unnecessary alerts.
 48- Security tools or scripts that automate service management might alter ImagePath values. Ensure these tools are recognized and excluded from monitoring to minimize false alerts.
 49- Regularly review and update the list of exceptions to ensure they align with current organizational practices and software environments.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 54- Terminate any suspicious processes associated with the identified ImagePath values, such as those involving command shells or named pipes.
 55- Remove or disable the malicious service by reverting the ImagePath registry entry to its legitimate state or deleting the service if it is not required.
 56- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or malware.
 57- Review and restore any modified system files or configurations to their original state to ensure system integrity.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 59- Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly."""
 60risk_score = 73
 61rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317"
 62severity = "high"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Persistence",
 68    "Tactic: Defense Evasion",
 69    "Data Source: Elastic Endgame",
 70    "Data Source: Elastic Defend",
 71    "Data Source: Sysmon",
 72    "Data Source: Microsoft Defender for Endpoint",
 73    "Data Source: SentinelOne",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "eql"
 78
 79query = '''
 80registry where host.os.type == "windows" and event.type == "change" and
 81  registry.value : "ImagePath" and
 82  registry.path : (
 83    "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
 84    "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
 85    ) and
 86  /* add suspicious registry ImagePath values here */
 87  registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1543"
 95name = "Create or Modify System Process"
 96reference = "https://attack.mitre.org/techniques/T1543/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1543.003"
 99name = "Windows Service"
100reference = "https://attack.mitre.org/techniques/T1543/003/"
101
102
103
104[rule.threat.tactic]
105id = "TA0003"
106name = "Persistence"
107reference = "https://attack.mitre.org/tactics/TA0003/"
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1112"
112name = "Modify Registry"
113reference = "https://attack.mitre.org/techniques/T1112/"
114
115
116[rule.threat.tactic]
117id = "TA0005"
118name = "Defense Evasion"
119reference = "https://attack.mitre.org/tactics/TA0005/"