Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Sigma rule (View on GitHub)
1title: Service Registry Permissions Weakness Check
2id: 95afc12e-3cbb-40c3-9340-84a032e596a3
3status: test
4description: |
5 Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
6 Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
7 Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
10 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
11author: frack113
12date: 2021-12-30
13tags:
14 - attack.persistence
15 - attack.t1574.011
16 - stp.2a
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains|all:
24 - 'get-acl'
25 - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
26 condition: selection
27falsepositives:
28 - Legitimate administrative script
29level: medium
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Changing Existing Service ImagePath Value Via Reg.EXE
- Potential Persistence Attempt Via Existing Service Tampering
- Service DACL Abuse To Hide Services Via Sc.EXE