Suspicious ImagePath Service Creation

Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/07"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to
11stealthily persist or escalate privileges through abnormal service creation.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious ImagePath Service Creation"
18risk_score = 73
19rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317"
20severity = "high"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Persistence",
26    "Tactic: Defense Evasion",
27    "Data Source: Elastic Endgame",
28    "Data Source: Elastic Defend",
29    "Data Source: Sysmon",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and event.type == "change" and
36  registry.value : "ImagePath" and
37  registry.path : (
38    "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
39    "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
40    ) and
41  /* add suspicious registry ImagePath values here */
42  registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1543"
50name = "Create or Modify System Process"
51reference = "https://attack.mitre.org/techniques/T1543/"
52[[rule.threat.technique.subtechnique]]
53id = "T1543.003"
54name = "Windows Service"
55reference = "https://attack.mitre.org/techniques/T1543/003/"
56
57
58
59[rule.threat.tactic]
60id = "TA0003"
61name = "Persistence"
62reference = "https://attack.mitre.org/tactics/TA0003/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1112"
67name = "Modify Registry"
68reference = "https://attack.mitre.org/techniques/T1112/"
69
70
71[rule.threat.tactic]
72id = "TA0005"
73name = "Defense Evasion"
74reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top