Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation via Service Permissions Weakness
2id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
3status: test
4description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
8author: Teymur Kheirkhabarov
9date: 2019-10-26
10modified: 2024-12-01
11tags:
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1574.011
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 IntegrityLevel:
22 - 'Medium'
23 - 'S-1-16-8192'
24 CommandLine|contains|all:
25 - 'ControlSet'
26 - 'services'
27 CommandLine|contains:
28 - '\ImagePath'
29 - '\FailureCommand'
30 - '\ServiceDll'
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
-
Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)
Read More -
In Windows environments when a service is registered with the system a new key is created in the registry which contains the binary path. Even though that this escalation vector is not very common …
Read More
Related rules
- Changing Existing Service ImagePath Value Via Reg.EXE
- Potential Persistence Attempt Via Existing Service Tampering
- Service Registry Permissions Weakness Check
- Possible Privilege Escalation via Weak Service Permissions
- Abuse of Service Permissions to Hide Services Via Set-Service