Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Sigma rule (View on GitHub)
1title: Service Registry Key Read Access Request
2id: 11d00fff-5dc3-428c-8184-801f292faec0
3status: experimental
4description: |
5 Detects "read access" requests on the services registry key.
6 Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
7 Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
8references:
9 - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
11author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
12date: 2023/09/28
13tags:
14 - attack.defense_evasion
15 - attack.persistence
16 - attack.privilege_escalation
17 - attack.t1574.011
18logsource:
19 product: windows
20 service: security
21 definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
22detection:
23 selection:
24 EventID: 4663
25 ObjectName|contains|all:
26 - '\SYSTEM\'
27 - 'ControlSet\Services\'
28 AccessList|contains: '%%1538' # READ_CONTROL
29 condition: selection
30falsepositives:
31 - Likely from legitimate applications reading their key. Requires heavy tuning
32level: low
References
-
Improved Analytic Scoring Application (A) User-mode (U) Kernel-mode (K) Core to (Sub-) Technique (5) EventID: 4663 TargetObject: “*SYSTEM\CurrentControlSet\Services\*” Core to Part of (Sub-) Techn...
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Possible Privilege Escalation via Weak Service Permissions
- Azure AD Threat Intelligence
- VMMap Signed Dbghelp.DLL Potential Sideloading
- VMMap Unsigned Dbghelp.DLL Potential Sideloading
- Activity From Anonymous IP Address