Suspicious ImagePath Service Creation

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to
13stealthily persist or escalate privileges through abnormal service creation.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious ImagePath Service Creation"
20risk_score = 73
21rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317"
22severity = "high"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28registry where host.os.type == "windows" and registry.path : (
29    "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
30    "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
31    ) and
32 /* add suspicious registry ImagePath values here */
33    registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1543"
41name = "Create or Modify System Process"
42reference = "https://attack.mitre.org/techniques/T1543/"
43[[rule.threat.technique.subtechnique]]
44id = "T1543.003"
45name = "Windows Service"
46reference = "https://attack.mitre.org/techniques/T1543/003/"
47
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
54
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1112"
61name = "Modify Registry"
62reference = "https://attack.mitre.org/techniques/T1112/"
63
64[rule.threat.tactic]
65id = "TA0005"
66name = "Defense Evasion"
67reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top