Potential Privilege Escalation via Service ImagePath Modification

Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/06/05"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/06/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with
 11privileges from groups like Server Operators may change the ImagePath of services to executables under their control or
 12to execute commands.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Privilege Escalation via Service ImagePath Modification"
 19references = [
 20    "https://cube0x0.github.io/Pocing-Beyond-DA/"
 21]
 22risk_score = 47
 23rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b"
 24severity = "medium"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Execution",
 30    "Tactic: Privilege Escalation",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon"
 33]
 34timestamp_override = "event.ingested"
 35type = "eql"
 36
 37query = '''
 38registry where host.os.type == "windows" and event.type == "change" and process.executable != null and 
 39  event.action == "modification" and registry.value == "ImagePath" and
 40  registry.key : (
 41    "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
 42    "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
 43    "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS",
 44    "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT",
 45    "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon",
 46    "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv",
 47    "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc",
 48    "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks",
 49    "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange",
 50    "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC",
 51    "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv",
 52    "*\\WPDBusEnum", "*\\WSearch"
 53  ) and
 54  not (
 55    registry.data.strings : (
 56        "?:\\Windows\\system32\\*.exe",
 57        "%systemroot%\\system32\\*.exe",
 58        "%windir%\\system32\\*.exe",
 59        "%SystemRoot%\\system32\\svchost.exe -k *",
 60        "%windir%\\system32\\svchost.exe -k *"
 61    ) and
 62        not registry.data.strings : (
 63            "*\\cmd.exe",
 64            "*\\cscript.exe",
 65            "*\\ieexec.exe",
 66            "*\\iexpress.exe",
 67            "*\\installutil.exe",
 68            "*\\Microsoft.Workflow.Compiler.exe",
 69            "*\\msbuild.exe",
 70            "*\\mshta.exe",
 71            "*\\msiexec.exe",
 72            "*\\msxsl.exe",
 73            "*\\net.exe",
 74            "*\\powershell.exe",
 75            "*\\pwsh.exe",
 76            "*\\reg.exe",
 77            "*\\RegAsm.exe",
 78            "*\\RegSvcs.exe",
 79            "*\\regsvr32.exe",
 80            "*\\rundll32.exe",
 81            "*\\vssadmin.exe",
 82            "*\\wbadmin.exe",
 83            "*\\wmic.exe",
 84            "*\\wscript.exe"
 85        )
 86  )
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1543"
 94name = "Create or Modify System Process"
 95reference = "https://attack.mitre.org/techniques/T1543/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1543.003"
 98name = "Windows Service"
 99reference = "https://attack.mitre.org/techniques/T1543/003/"
100
101[[rule.threat.technique]]
102id = "T1574"
103name = "Hijack Execution Flow"
104reference = "https://attack.mitre.org/techniques/T1574/"
105[[rule.threat.technique.subtechnique]]
106id = "T1574.011"
107name = "Services Registry Permissions Weakness"
108reference = "https://attack.mitre.org/techniques/T1574/011/"
109
110
111
112[rule.threat.tactic]
113id = "TA0004"
114name = "Privilege Escalation"
115reference = "https://attack.mitre.org/tactics/TA0004/"
116
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1569"
123name = "System Services"
124reference = "https://attack.mitre.org/techniques/T1569/"
125[[rule.threat.technique.subtechnique]]
126id = "T1569.002"
127name = "Service Execution"
128reference = "https://attack.mitre.org/techniques/T1569/002/"
129
130
131
132[rule.threat.tactic]
133id = "TA0002"
134name = "Execution"
135reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top