Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Sigma rule (View on GitHub)
1title: Service Registry Key Read Access Request
2id: 11d00fff-5dc3-428c-8184-801f292faec0
3status: test
4description: |
5 Detects "read access" requests on the services registry key.
6 Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
7 Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
8references:
9 - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
11author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
12date: 2023-09-28
13tags:
14 - attack.defense-evasion
15 - attack.persistence
16 - attack.privilege-escalation
17 - attack.t1574.011
18logsource:
19 product: windows
20 service: security
21 definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
22detection:
23 selection:
24 EventID: 4663
25 ObjectName|contains|all:
26 - '\SYSTEM\'
27 - 'ControlSet\Services\'
28 AccessList|contains: '%%1538' # READ_CONTROL
29 condition: selection
30falsepositives:
31 - Likely from legitimate applications reading their key. Requires heavy tuning
32level: low
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Security Descriptor Tampering Via Sc.EXE
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS