Potential Privilege Escalation via Service ImagePath Modification
Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/05"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with
13privileges from groups like Server Operators may change the ImagePath of services to executables under their control or
14to execute commands.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privilege Escalation via Service ImagePath Modification"
21references = [
22 "https://cube0x0.github.io/Pocing-Beyond-DA/"
23]
24risk_score = 47
25rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Execution",
32 "Tactic: Privilege Escalation",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon"
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type == "change" and process.executable != null and
41 event.action == "modification" and registry.value == "ImagePath" and
42 registry.key : (
43 "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
44 "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
45 "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS",
46 "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT",
47 "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon",
48 "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv",
49 "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc",
50 "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks",
51 "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange",
52 "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC",
53 "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv",
54 "*\\WPDBusEnum", "*\\WSearch"
55 ) and
56 not (
57 registry.data.strings : (
58 "?:\\Windows\\system32\\*.exe",
59 "%systemroot%\\system32\\*.exe",
60 "%windir%\\system32\\*.exe",
61 "%SystemRoot%\\system32\\svchost.exe -k *",
62 "%windir%\\system32\\svchost.exe -k *"
63 ) and
64 not registry.data.strings : (
65 "*\\cmd.exe",
66 "*\\cscript.exe",
67 "*\\ieexec.exe",
68 "*\\iexpress.exe",
69 "*\\installutil.exe",
70 "*\\Microsoft.Workflow.Compiler.exe",
71 "*\\msbuild.exe",
72 "*\\mshta.exe",
73 "*\\msiexec.exe",
74 "*\\msxsl.exe",
75 "*\\net.exe",
76 "*\\powershell.exe",
77 "*\\pwsh.exe",
78 "*\\reg.exe",
79 "*\\RegAsm.exe",
80 "*\\RegSvcs.exe",
81 "*\\regsvr32.exe",
82 "*\\rundll32.exe",
83 "*\\vssadmin.exe",
84 "*\\wbadmin.exe",
85 "*\\wmic.exe",
86 "*\\wscript.exe"
87 )
88 )
89'''
90
91
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94[[rule.threat.technique]]
95id = "T1543"
96name = "Create or Modify System Process"
97reference = "https://attack.mitre.org/techniques/T1543/"
98[[rule.threat.technique.subtechnique]]
99id = "T1543.003"
100name = "Windows Service"
101reference = "https://attack.mitre.org/techniques/T1543/003/"
102
103[[rule.threat.technique]]
104id = "T1574"
105name = "Hijack Execution Flow"
106reference = "https://attack.mitre.org/techniques/T1574/"
107[[rule.threat.technique.subtechnique]]
108id = "T1574.011"
109name = "Services Registry Permissions Weakness"
110reference = "https://attack.mitre.org/techniques/T1574/011/"
111
112
113
114[rule.threat.tactic]
115id = "TA0004"
116name = "Privilege Escalation"
117reference = "https://attack.mitre.org/tactics/TA0004/"
118
119
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1569"
125name = "System Services"
126reference = "https://attack.mitre.org/techniques/T1569/"
127[[rule.threat.technique.subtechnique]]
128id = "T1569.002"
129name = "Service Execution"
130reference = "https://attack.mitre.org/techniques/T1569/002/"
131
132
133
134[rule.threat.tactic]
135id = "TA0002"
136name = "Execution"
137reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Conhost Spawned By Suspicious Parent Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- Account Discovery Command via SYSTEM Account