Suspicious ImagePath Service Creation
Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/23"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to
13stealthily persist or escalate privileges through abnormal service creation.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious ImagePath Service Creation"
20risk_score = 73
21rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317"
22severity = "high"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Persistence",
28 "Tactic: Defense Evasion",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: Sysmon",
32 "Data Source: Microsoft Defender for Endpoint",
33 "Data Source: SentinelOne",
34 "Resources: Investigation Guide",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type == "change" and
41 registry.value : "ImagePath" and
42 registry.path : (
43 "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath",
44 "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath"
45 ) and
46 /* add suspicious registry ImagePath values here */
47 registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*")
48'''
49note = """## Triage and analysis
50
51> **Disclaimer**:
52> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
53
54### Investigating Suspicious ImagePath Service Creation
55
56Windows services are crucial for running background processes. Adversaries exploit this by creating or modifying services with malicious ImagePath values to gain persistence or escalate privileges. The detection rule monitors registry changes to ImagePath entries, flagging unusual patterns like command shells or named pipes, which are often used in stealthy attacks. This helps identify and mitigate potential threats early.
57
58### Possible investigation steps
59
60- Review the registry event logs to identify the specific ImagePath value that triggered the alert, focusing on entries with command shells or named pipes, such as those containing "%COMSPEC%*" or "*\\\\.\\\\pipe\\\\*".
61- Investigate the associated service name and description in the registry path "HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath" to determine if it is a legitimate service or potentially malicious.
62- Check the creation or modification timestamp of the suspicious ImagePath entry to correlate with other system events or user activities around the same time.
63- Analyze the parent process and user account responsible for the registry change to assess if it aligns with expected behavior or if it indicates unauthorized access.
64- Search for related network activity or connections, especially those involving named pipes, to identify any lateral movement or data exfiltration attempts.
65- Cross-reference the alert with threat intelligence sources to determine if the ImagePath value or associated service is linked to known malware or adversary techniques.
66
67### False positive analysis
68
69- Legitimate software updates or installations may modify ImagePath values, triggering alerts. Users can create exceptions for known software update processes to reduce noise.
70- System administrators might intentionally change service configurations for maintenance or optimization. Document and exclude these planned changes to prevent false positives.
71- Some enterprise applications use named pipes for inter-process communication, which could be flagged. Identify and whitelist these applications to avoid unnecessary alerts.
72- Security tools or scripts that automate service management might alter ImagePath values. Ensure these tools are recognized and excluded from monitoring to minimize false alerts.
73- Regularly review and update the list of exceptions to ensure they align with current organizational practices and software environments.
74
75### Response and remediation
76
77- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
78- Terminate any suspicious processes associated with the identified ImagePath values, such as those involving command shells or named pipes.
79- Remove or disable the malicious service by reverting the ImagePath registry entry to its legitimate state or deleting the service if it is not required.
80- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or malware.
81- Review and restore any modified system files or configurations to their original state to ensure system integrity.
82- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
83- Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly."""
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1543"
90name = "Create or Modify System Process"
91reference = "https://attack.mitre.org/techniques/T1543/"
92[[rule.threat.technique.subtechnique]]
93id = "T1543.003"
94name = "Windows Service"
95reference = "https://attack.mitre.org/techniques/T1543/003/"
96
97
98
99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1112"
107name = "Modify Registry"
108reference = "https://attack.mitre.org/techniques/T1112/"
109
110
111[rule.threat.tactic]
112id = "TA0005"
113name = "Defense Evasion"
114reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Suspicious ImagePath Service Creation
Windows services are crucial for running background processes. Adversaries exploit this by creating or modifying services with malicious ImagePath values to gain persistence or escalate privileges. The detection rule monitors registry changes to ImagePath entries, flagging unusual patterns like command shells or named pipes, which are often used in stealthy attacks. This helps identify and mitigate potential threats early.
Possible investigation steps
- Review the registry event logs to identify the specific ImagePath value that triggered the alert, focusing on entries with command shells or named pipes, such as those containing "%COMSPEC%" or "\.\pipe\*".
- Investigate the associated service name and description in the registry path "HKLM\SYSTEM\ControlSet*\Services\*\ImagePath" to determine if it is a legitimate service or potentially malicious.
- Check the creation or modification timestamp of the suspicious ImagePath entry to correlate with other system events or user activities around the same time.
- Analyze the parent process and user account responsible for the registry change to assess if it aligns with expected behavior or if it indicates unauthorized access.
- Search for related network activity or connections, especially those involving named pipes, to identify any lateral movement or data exfiltration attempts.
- Cross-reference the alert with threat intelligence sources to determine if the ImagePath value or associated service is linked to known malware or adversary techniques.
False positive analysis
- Legitimate software updates or installations may modify ImagePath values, triggering alerts. Users can create exceptions for known software update processes to reduce noise.
- System administrators might intentionally change service configurations for maintenance or optimization. Document and exclude these planned changes to prevent false positives.
- Some enterprise applications use named pipes for inter-process communication, which could be flagged. Identify and whitelist these applications to avoid unnecessary alerts.
- Security tools or scripts that automate service management might alter ImagePath values. Ensure these tools are recognized and excluded from monitoring to minimize false alerts.
- Regularly review and update the list of exceptions to ensure they align with current organizational practices and software environments.
Response and remediation
- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Terminate any suspicious processes associated with the identified ImagePath values, such as those involving command shells or named pipes.
- Remove or disable the malicious service by reverting the ImagePath registry entry to its legitimate state or deleting the service if it is not required.
- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or malware.
- Review and restore any modified system files or configurations to their original state to ensure system integrity.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to detect and respond to future threats promptly.
Related rules
- Image File Execution Options Injection
- Installation of Security Support Provider
- Suspicious WerFault Child Process
- Unusual Persistence via Services Registry
- Adding Hidden File Attribute via Attrib