Potential Privilege Escalation via Service ImagePath Modification
Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/05"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with
13privileges from groups like Server Operators may change the ImagePath of services to executables under their control or
14to execute commands.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privilege Escalation via Service ImagePath Modification"
21references = [
22 "https://cube0x0.github.io/Pocing-Beyond-DA/"
23]
24risk_score = 47
25rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Execution",
32 "Tactic: Privilege Escalation",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35 "Resources: Investigation Guide"
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41registry where host.os.type == "windows" and event.type == "change" and process.executable != null and
42 event.action == "modification" and registry.value == "ImagePath" and
43 registry.key : (
44 "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc",
45 "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker",
46 "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS",
47 "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT",
48 "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon",
49 "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv",
50 "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc",
51 "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks",
52 "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange",
53 "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC",
54 "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv",
55 "*\\WPDBusEnum", "*\\WSearch"
56 ) and
57 not (
58 registry.data.strings : (
59 "?:\\Windows\\system32\\*.exe",
60 "%systemroot%\\system32\\*.exe",
61 "%windir%\\system32\\*.exe",
62 "%SystemRoot%\\system32\\svchost.exe -k *",
63 "%windir%\\system32\\svchost.exe -k *"
64 ) and
65 not registry.data.strings : (
66 "*\\cmd.exe",
67 "*\\cscript.exe",
68 "*\\ieexec.exe",
69 "*\\iexpress.exe",
70 "*\\installutil.exe",
71 "*\\Microsoft.Workflow.Compiler.exe",
72 "*\\msbuild.exe",
73 "*\\mshta.exe",
74 "*\\msiexec.exe",
75 "*\\msxsl.exe",
76 "*\\net.exe",
77 "*\\powershell.exe",
78 "*\\pwsh.exe",
79 "*\\reg.exe",
80 "*\\RegAsm.exe",
81 "*\\RegSvcs.exe",
82 "*\\regsvr32.exe",
83 "*\\rundll32.exe",
84 "*\\vssadmin.exe",
85 "*\\wbadmin.exe",
86 "*\\wmic.exe",
87 "*\\wscript.exe"
88 )
89 )
90'''
91note = """## Triage and analysis
92
93> **Disclaimer**:
94> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
95
96### Investigating Potential Privilege Escalation via Service ImagePath Modification
97
98Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts.
99
100### Possible investigation steps
101
102- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\\LanmanServer, *\\Winmgmt).
103- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\\system32\\.
104- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy.
105- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group.
106- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions.
107- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise.
108
109### False positive analysis
110
111- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives.
112- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths.
113- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts.
114- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection.
115- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise.
116
117### Response and remediation
118
119- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
120- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory.
121- Restore the modified ImagePath registry key to its original state using a known good configuration or backup.
122- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms.
123- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made.
124- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
125- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly."""
126
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1543"
132name = "Create or Modify System Process"
133reference = "https://attack.mitre.org/techniques/T1543/"
134[[rule.threat.technique.subtechnique]]
135id = "T1543.003"
136name = "Windows Service"
137reference = "https://attack.mitre.org/techniques/T1543/003/"
138
139[[rule.threat.technique]]
140id = "T1574"
141name = "Hijack Execution Flow"
142reference = "https://attack.mitre.org/techniques/T1574/"
143[[rule.threat.technique.subtechnique]]
144id = "T1574.011"
145name = "Services Registry Permissions Weakness"
146reference = "https://attack.mitre.org/techniques/T1574/011/"
147
148
149
150[rule.threat.tactic]
151id = "TA0004"
152name = "Privilege Escalation"
153reference = "https://attack.mitre.org/tactics/TA0004/"
154
155
156
157[[rule.threat]]
158framework = "MITRE ATT&CK"
159[[rule.threat.technique]]
160id = "T1569"
161name = "System Services"
162reference = "https://attack.mitre.org/techniques/T1569/"
163[[rule.threat.technique.subtechnique]]
164id = "T1569.002"
165name = "Service Execution"
166reference = "https://attack.mitre.org/techniques/T1569/002/"
167
168
169
170[rule.threat.tactic]
171id = "TA0002"
172name = "Execution"
173reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Privilege Escalation via Service ImagePath Modification
Windows services are crucial for system operations, often running with high privileges. Adversaries exploit this by altering the ImagePath registry key of services to execute malicious code with elevated privileges. The detection rule identifies suspicious modifications to service ImagePaths, focusing on changes that deviate from standard executable paths, thus flagging potential privilege escalation attempts.
Possible investigation steps
- Review the specific registry key and value that triggered the alert to confirm it matches one of the monitored service keys, such as those listed in the query (e.g., *\LanmanServer, *\Winmgmt).
- Examine the modified ImagePath value to determine if it points to a non-standard executable path or a suspicious executable, especially those not located in %systemroot%\system32.
- Check the process.executable field to identify the process responsible for the registry modification and assess its legitimacy.
- Investigate the user account associated with the modification event to determine if it has elevated privileges, such as membership in the Server Operators group.
- Correlate the event with other logs or alerts to identify any related suspicious activities, such as unexpected service starts or process executions.
- Review recent changes or activities on the host to identify any unauthorized access or configuration changes that could indicate a broader compromise.
False positive analysis
- Legitimate software updates or installations may modify service ImagePaths. Users can create exceptions for known update processes or installation paths to prevent false positives.
- System administrators might intentionally change service configurations for maintenance or troubleshooting. Document and exclude these changes by adding exceptions for specific administrator actions or paths.
- Custom scripts or automation tools that modify service settings as part of their operation can trigger alerts. Identify and whitelist these scripts or tools to avoid unnecessary alerts.
- Some third-party security or management software may alter service ImagePaths as part of their functionality. Verify the legitimacy of such software and exclude their known paths from detection.
- Changes made by trusted IT personnel during system configuration or optimization should be logged and excluded from alerts to reduce noise.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious processes identified as running from non-standard executable paths, especially those not originating from the system32 directory.
- Restore the modified ImagePath registry key to its original state using a known good configuration or backup.
- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious files or persistence mechanisms.
- Review and audit user accounts and group memberships, particularly those with elevated privileges like Server Operators, to ensure no unauthorized changes have been made.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and alerting for future modifications to service ImagePath registry keys, focusing on deviations from standard paths to detect similar threats promptly.
References
Related rules
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- UAC Bypass via ICMLuaUtil Elevated COM Interface
- Conhost Spawned By Suspicious Parent Process