Potential Privilege Escalation via Service ImagePath Modification

  1[metadata]
  2creation_date = "2024/06/05"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with
 11privileges from groups like Server Operators may change the ImagePath of services to executables under their control or
 12to execute commands.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Privilege Escalation via Service ImagePath Modification"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Potential Privilege Escalation via Service ImagePath Modification
 25
 26Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts.
 27
 28### Possible investigation steps
 29
 30- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt).
 31- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\.
 32- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy.
 33- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group.
 34- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions.
 35- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise.
 36
 37### False positive analysis
 38
 39- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives.
 40- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths.
 41- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts.
 42- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection.
 43- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise.
 44
 45### Response and remediation
 46
 47- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 48- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory.
 49- Restore the modified ImagePath registry key to its original state using a known good configuration or backup.
 50- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms.
 51- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 53- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly."""
 54references = ["https://cube0x0.github.io/Pocing-Beyond-DA/"]
 55risk_score = 47
 56rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b"
 57severity = "medium"
 58tags = [
 59    "Domain: Endpoint",
 60    "OS: Windows",
 61    "Use Case: Threat Detection",
 62    "Tactic: Execution",
 63    "Tactic: Privilege Escalation",
 64    "Data Source: Elastic Defend",
 65    "Data Source: Sysmon",
 66    "Resources: Investigation Guide",
 67]
 68timestamp_override = "event.ingested"
 69type = "eql"
 70
 71query = '''
 72registry where host.os.type == "windows" and event.type == "change" and process.executable != null and
 73  event.action == "modification" and registry.value == "ImagePath" and
 74  registry.key : (
 75    "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
 76    "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
 77    "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS",
 78    "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT",
 79    "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon",
 80    "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv",
 81    "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc",
 82    "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks",
 83    "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange",
 84    "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC",
 85    "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv",
 86    "*\\WPDBusEnum", "*\\WSearch"
 87  ) and
 88  not (
 89    registry.data.strings : (
 90        "?:\\Windows\\system32\\*.exe",
 91        "%systemroot%\\system32\\*.exe",
 92        "%windir%\\system32\\*.exe",
 93        "%SystemRoot%\\system32\\svchost.exe -k *",
 94        "%windir%\\system32\\svchost.exe -k *"
 95    ) and
 96        not registry.data.strings : (
 97            "*\\cmd.exe",
 98            "*\\cscript.exe",
 99            "*\\ieexec.exe",
100            "*\\iexpress.exe",
101            "*\\installutil.exe",
102            "*\\Microsoft.Workflow.Compiler.exe",
103            "*\\msbuild.exe",
104            "*\\mshta.exe",
105            "*\\msiexec.exe",
106            "*\\msxsl.exe",
107            "*\\net.exe",
108            "*\\powershell.exe",
109            "*\\pwsh.exe",
110            "*\\reg.exe",
111            "*\\RegAsm.exe",
112            "*\\RegSvcs.exe",
113            "*\\regsvr32.exe",
114            "*\\rundll32.exe",
115            "*\\vssadmin.exe",
116            "*\\wbadmin.exe",
117            "*\\wmic.exe",
118            "*\\wscript.exe"
119        )
120  )
121'''
122
123
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1543"
128name = "Create or Modify System Process"
129reference = "https://attack.mitre.org/techniques/T1543/"
130[[rule.threat.technique.subtechnique]]
131id = "T1543.003"
132name = "Windows Service"
133reference = "https://attack.mitre.org/techniques/T1543/003/"
134
135
136[[rule.threat.technique]]
137id = "T1574"
138name = "Hijack Execution Flow"
139reference = "https://attack.mitre.org/techniques/T1574/"
140[[rule.threat.technique.subtechnique]]
141id = "T1574.011"
142name = "Services Registry Permissions Weakness"
143reference = "https://attack.mitre.org/techniques/T1574/011/"
144
145
146
147[rule.threat.tactic]
148id = "TA0004"
149name = "Privilege Escalation"
150reference = "https://attack.mitre.org/tactics/TA0004/"
151[[rule.threat]]
152framework = "MITRE ATT&CK"
153[[rule.threat.technique]]
154id = "T1569"
155name = "System Services"
156reference = "https://attack.mitre.org/techniques/T1569/"
157[[rule.threat.technique.subtechnique]]
158id = "T1569.002"
159name = "Service Execution"
160reference = "https://attack.mitre.org/techniques/T1569/002/"
161
162
163
164[rule.threat.tactic]
165id = "TA0002"
166name = "Execution"
167reference = "https://attack.mitre.org/tactics/TA0002/"