Service Registry Key Read Access Request

 1title: Service Registry Key Read Access Request
 2id: 11d00fff-5dc3-428c-8184-801f292faec0
 3status: test
 4description: |
 5    Detects "read access" requests on the services registry key.
 6    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
 7    Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.    
 8references:
 9    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
11author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
12date: 2023-09-28
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.execution
17    - attack.stealth
18    - attack.t1574.011
19logsource:
20    product: windows
21    service: security
22    definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
23detection:
24    selection:
25        EventID: 4663
26        ObjectName|contains|all:
27            - '\SYSTEM\'
28            - 'ControlSet\Services\'
29        AccessList|contains: '%%1538' # READ_CONTROL
30    condition: selection
31falsepositives:
32    - Likely from legitimate applications reading their key. Requires heavy tuning
33level: low