Potential Privilege Escalation via Service ImagePath Modification
Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/05"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with
11privileges from groups like Server Operators may change the ImagePath of services to executables under their control or
12to execute commands.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Privilege Escalation via Service ImagePath Modification"
19references = [
20 "https://cube0x0.github.io/Pocing-Beyond-DA/"
21]
22risk_score = 47
23rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Execution",
30 "Tactic: Privilege Escalation",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38registry where host.os.type == "windows" and event.type == "change" and process.executable != null and
39 event.action == "modification" and registry.value == "ImagePath" and
40 registry.key : (
41 "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
42 "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
43 "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS",
44 "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT",
45 "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon",
46 "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv",
47 "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc",
48 "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks",
49 "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange",
50 "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC",
51 "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv",
52 "*\\WPDBusEnum", "*\\WSearch"
53 ) and
54 not (
55 registry.data.strings : (
56 "?:\\Windows\\system32\\*.exe",
57 "%systemroot%\\system32\\*.exe",
58 "%windir%\\system32\\*.exe",
59 "%SystemRoot%\\system32\\svchost.exe -k *",
60 "%windir%\\system32\\svchost.exe -k *"
61 ) and
62 not registry.data.strings : (
63 "*\\cmd.exe",
64 "*\\cscript.exe",
65 "*\\ieexec.exe",
66 "*\\iexpress.exe",
67 "*\\installutil.exe",
68 "*\\Microsoft.Workflow.Compiler.exe",
69 "*\\msbuild.exe",
70 "*\\mshta.exe",
71 "*\\msiexec.exe",
72 "*\\msxsl.exe",
73 "*\\net.exe",
74 "*\\powershell.exe",
75 "*\\pwsh.exe",
76 "*\\reg.exe",
77 "*\\RegAsm.exe",
78 "*\\RegSvcs.exe",
79 "*\\regsvr32.exe",
80 "*\\rundll32.exe",
81 "*\\vssadmin.exe",
82 "*\\wbadmin.exe",
83 "*\\wmic.exe",
84 "*\\wscript.exe"
85 )
86 )
87'''
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1543"
94name = "Create or Modify System Process"
95reference = "https://attack.mitre.org/techniques/T1543/"
96[[rule.threat.technique.subtechnique]]
97id = "T1543.003"
98name = "Windows Service"
99reference = "https://attack.mitre.org/techniques/T1543/003/"
100
101[[rule.threat.technique]]
102id = "T1574"
103name = "Hijack Execution Flow"
104reference = "https://attack.mitre.org/techniques/T1574/"
105[[rule.threat.technique.subtechnique]]
106id = "T1574.011"
107name = "Services Registry Permissions Weakness"
108reference = "https://attack.mitre.org/techniques/T1574/011/"
109
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"
116
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1569"
123name = "System Services"
124reference = "https://attack.mitre.org/techniques/T1569/"
125[[rule.threat.technique.subtechnique]]
126id = "T1569.002"
127name = "Service Execution"
128reference = "https://attack.mitre.org/techniques/T1569/002/"
129
130
131
132[rule.threat.tactic]
133id = "TA0002"
134name = "Execution"
135reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Conhost Spawned By Suspicious Parent Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- Potential Persistence via Time Provider Modification