Suspicious ImagePath Service Creation
Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/23"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to
11stealthily persist or escalate privileges through abnormal service creation.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious ImagePath Service Creation"
18risk_score = 73
19rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317"
20severity = "high"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Persistence",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Endgame",
28 "Data Source: Elastic Defend",
29 "Data Source: Sysmon",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and event.type == "change" and
36 registry.value : "ImagePath" and
37 registry.path : (
38 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
39 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
40 ) and
41 /* add suspicious registry ImagePath values here */
42 registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1543"
50name = "Create or Modify System Process"
51reference = "https://attack.mitre.org/techniques/T1543/"
52[[rule.threat.technique.subtechnique]]
53id = "T1543.003"
54name = "Windows Service"
55reference = "https://attack.mitre.org/techniques/T1543/003/"
56
57
58
59[rule.threat.tactic]
60id = "TA0003"
61name = "Persistence"
62reference = "https://attack.mitre.org/tactics/TA0003/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1112"
67name = "Modify Registry"
68reference = "https://attack.mitre.org/techniques/T1112/"
69
70
71[rule.threat.tactic]
72id = "TA0005"
73name = "Defense Evasion"
74reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Image File Execution Options Injection
- Suspicious Startup Shell Folder Modification
- Unusual Persistence via Services Registry
- Installation of Security Support Provider
- Persistence via Hidden Run Key Detected