Changing Existing Service ImagePath Value Via Reg.EXE

calendar Aug 12, 2024 · attack.persistence attack.t1574.011  ·
Share on: linkedin copy

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Sigma rule (View on GitHub)

 1title: Changing Existing Service ImagePath Value Via Reg.EXE
 2id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
 3status: test
 4description: |
 5    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
 6    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
 7    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
10author: frack113
11date: 2021-12-30
12modified: 2024-03-13
13tags:
14    - attack.persistence
15    - attack.t1574.011
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\reg.exe'
22        CommandLine|contains|all:
23            - 'add '
24            - 'SYSTEM\CurrentControlSet\Services\'
25            - ' ImagePath '
26    selection_value:
27        CommandLine|contains|windash: ' -d '
28    condition: all of selection*
29falsepositives:
30    - Unknown
31level: medium

References

Related rules

to-top