Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Sigma rule (View on GitHub)
1title: Changing Existing Service ImagePath Value Via Reg.EXE
2id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
3status: test
4description: |
5 Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
6 Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
7 Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
10author: frack113
11date: 2021-12-30
12modified: 2024-03-13
13tags:
14 - attack.persistence
15 - attack.t1574.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\reg.exe'
22 CommandLine|contains|all:
23 - 'add '
24 - 'SYSTEM\CurrentControlSet\Services\'
25 - ' ImagePath '
26 selection_value:
27 CommandLine|contains|windash: ' -d '
28 condition: all of selection*
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Potential Persistence Attempt Via Existing Service Tampering
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request