Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Sigma rule (View on GitHub)
1title: Service Registry Key Read Access Request
2id: 11d00fff-5dc3-428c-8184-801f292faec0
3status: test
4description: |
5 Detects "read access" requests on the services registry key.
6 Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
7 Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
8references:
9 - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
11author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
12date: 2023-09-28
13tags:
14 - attack.defense-evasion
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.t1574.011
18logsource:
19 product: windows
20 service: security
21 definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
22detection:
23 selection:
24 EventID: 4663
25 ObjectName|contains|all:
26 - '\SYSTEM\'
27 - 'ControlSet\Services\'
28 AccessList|contains: '%%1538' # READ_CONTROL
29 condition: selection
30falsepositives:
31 - Likely from legitimate applications reading their key. Requires heavy tuning
32level: low
References
-
Improved Analytic Scoring Application (A) User-mode (U) Kernel-mode (K) Core to (Sub-) Technique (5) EventID: 4663 TargetObject: “*SYSTEM\CurrentControlSet\Services\*” Core to Part of (Sub-) Techn...
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Possible Privilege Escalation via Weak Service Permissions
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Security Descriptor Tampering Via Sc.EXE