Potential Privilege Escalation via Service ImagePath Modification

  1[metadata]
  2creation_date = "2024/06/05"
  3integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with
 11privileges from groups like Server Operators may change the ImagePath of services to executables under their control or
 12to execute commands.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.registry-*",
 17    "logs-windows.sysmon_operational-*",
 18    "winlogbeat-*",
 19    "logs-crowdstrike.fdr*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-m365_defender.event-*",
 22    "endgame-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Potential Privilege Escalation via Service ImagePath Modification"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Potential Privilege Escalation via Service ImagePath Modification
 33
 34Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts.
 35
 36### Possible investigation steps
 37
 38- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt).
 39- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\.
 40- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy.
 41- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group.
 42- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions.
 43- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise.
 44
 45### False positive analysis
 46
 47- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives.
 48- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths.
 49- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts.
 50- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection.
 51- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 56- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory.
 57- Restore the modified ImagePath registry key to its original state using a known good configuration or backup.
 58- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms.
 59- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made.
 60- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 61- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly."""
 62references = ["https://cube0x0.github.io/Pocing-Beyond-DA/"]
 63risk_score = 47
 64rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b"
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Execution",
 71    "Tactic: Privilege Escalation",
 72    "Data Source: Elastic Defend",
 73    "Data Source: Sysmon",
 74    "Data Source: Crowdstrike",
 75    "Resources: Investigation Guide",
 76    "Data Source: SentinelOne",
 77    "Data Source: Microsoft Defender XDR",
 78    "Data Source: Elastic Endgame",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84registry where host.os.type == "windows" and event.type == "change" and process.executable != null and
 85  registry.data.strings != null and registry.value == "ImagePath" and
 86  registry.key : (
 87    "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
 88    "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
 89    "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS",
 90    "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT",
 91    "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon",
 92    "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv",
 93    "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc",
 94    "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks",
 95    "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange",
 96    "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC",
 97    "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv",
 98    "*\\WPDBusEnum", "*\\WSearch"
 99  ) and
100  not (
101    registry.data.strings : (
102        "?:\\Windows\\system32\\*.exe",
103        "%systemroot%\\system32\\*.exe",
104        "%windir%\\system32\\*.exe",
105        "%SystemRoot%\\system32\\svchost.exe -k *",
106        "%windir%\\system32\\svchost.exe -k *"
107    ) and
108        not registry.data.strings : (
109            "*\\cmd.exe",
110            "*\\cscript.exe",
111            "*\\ieexec.exe",
112            "*\\iexpress.exe",
113            "*\\installutil.exe",
114            "*\\Microsoft.Workflow.Compiler.exe",
115            "*\\msbuild.exe",
116            "*\\mshta.exe",
117            "*\\msiexec.exe",
118            "*\\msxsl.exe",
119            "*\\net.exe",
120            "*\\powershell.exe",
121            "*\\pwsh.exe",
122            "*\\reg.exe",
123            "*\\RegAsm.exe",
124            "*\\RegSvcs.exe",
125            "*\\regsvr32.exe",
126            "*\\rundll32.exe",
127            "*\\vssadmin.exe",
128            "*\\wbadmin.exe",
129            "*\\wmic.exe",
130            "*\\wscript.exe"
131        )
132  )
133'''
134
135setup = """## Setup
136
137This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
138
139Setup instructions: https://ela.st/install-elastic-defend
140
141### Additional data sources
142
143This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
144
145- [CrowdStrike](https://ela.st/crowdstrike-integration)
146- [Microsoft Defender XDR](https://ela.st/m365-defender)
147- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
148- [Sysmon Registry Events](https://ela.st/sysmon-event-reg-setup)
149"""
150
151
152[[rule.threat]]
153framework = "MITRE ATT&CK"
154
155[[rule.threat.technique]]
156id = "T1543"
157name = "Create or Modify System Process"
158reference = "https://attack.mitre.org/techniques/T1543/"
159
160[[rule.threat.technique.subtechnique]]
161id = "T1543.003"
162name = "Windows Service"
163reference = "https://attack.mitre.org/techniques/T1543/003/"
164
165[[rule.threat.technique]]
166id = "T1574"
167name = "Hijack Execution Flow"
168reference = "https://attack.mitre.org/techniques/T1574/"
169
170[[rule.threat.technique.subtechnique]]
171id = "T1574.011"
172name = "Services Registry Permissions Weakness"
173reference = "https://attack.mitre.org/techniques/T1574/011/"
174
175[rule.threat.tactic]
176id = "TA0004"
177name = "Privilege Escalation"
178reference = "https://attack.mitre.org/tactics/TA0004/"
179
180[[rule.threat]]
181framework = "MITRE ATT&CK"
182
183[[rule.threat.technique]]
184id = "T1569"
185name = "System Services"
186reference = "https://attack.mitre.org/techniques/T1569/"
187
188[[rule.threat.technique.subtechnique]]
189id = "T1569.002"
190name = "Service Execution"
191reference = "https://attack.mitre.org/techniques/T1569/002/"
192
193[rule.threat.tactic]
194id = "TA0002"
195name = "Execution"
196reference = "https://attack.mitre.org/tactics/TA0002/"
197
198[[rule.threat]]
199framework = "MITRE ATT&CK"
200
201[[rule.threat.technique]]
202id = "T1112"
203name = "Modify Registry"
204reference = "https://attack.mitre.org/techniques/T1112/"
205
206[rule.threat.tactic]
207id = "TA0003"
208name = "Persistence"
209reference = "https://attack.mitre.org/tactics/TA0003/"