Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Sigma rule (View on GitHub)
1title: Service Registry Permissions Weakness Check
2id: 95afc12e-3cbb-40c3-9340-84a032e596a3
3status: test
4description: |
5 Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
6 Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
7 Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
10 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
11author: frack113
12date: 2021-12-30
13tags:
14 - attack.privilege-escalation
15 - attack.defense-evasion
16 - attack.persistence
17 - attack.t1574.011
18 - stp.2a
19logsource:
20 product: windows
21 category: ps_script
22 definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24 selection:
25 ScriptBlockText|contains|all:
26 - 'get-acl'
27 - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
28 condition: selection
29falsepositives:
30 - Legitimate administrative script
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
This cmdlet is only available on the Windows platform. The Get-Acl cmdlet gets objects that represent the security descriptor of a file or resource. The security descriptor contains the access control lists (ACLs) of the resource. The ACL specifies the permissions that users and user groups have to access the resource. Beginning in Windows PowerShell 3.0, you can use the InputObject parameter of Get-Acl to get the security descriptor of objects that do not have a path.
Read More
Related rules
- Changing Existing Service ImagePath Value Via Reg.EXE
- Potential Persistence Attempt Via Existing Service Tampering
- Potential Privilege Escalation via Service Permissions Weakness
- Possible Privilege Escalation via Weak Service Permissions
- Abuse of Service Permissions to Hide Services Via Set-Service