Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation via Service Permissions Weakness
2id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
3status: test
4description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
8author: Teymur Kheirkhabarov
9date: 2019-10-26
10modified: 2024-12-01
11tags:
12 - attack.privilege-escalation
13 - attack.t1574.011
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 IntegrityLevel:
20 - 'Medium'
21 - 'S-1-16-8192'
22 CommandLine|contains|all:
23 - 'ControlSet'
24 - 'services'
25 CommandLine|contains:
26 - '\ImagePath'
27 - '\FailureCommand'
28 - '\ServiceDll'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
-
Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)
Read More -
In Windows environments when a service is registered with the system a new key is created in the registry which contains the binary path. Even though that this escalation vector is not very common …
Read More
Related rules
- Possible Privilege Escalation via Weak Service Permissions
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request