Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation via Service Permissions Weakness
2id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
3status: test
4description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
8author: Teymur Kheirkhabarov
9date: 2019-10-26
10modified: 2023-01-30
11tags:
12 - attack.privilege-escalation
13 - attack.t1574.011
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 IntegrityLevel: 'Medium'
20 CommandLine|contains|all:
21 - 'ControlSet'
22 - 'services'
23 CommandLine|contains:
24 - '\ImagePath'
25 - '\FailureCommand'
26 - '\ServiceDll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)
Read More -
In Windows environments when a service is registered with the system a new key is created in the registry which contains the binary path. Even though that this escalation vector is not very common …
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Possible Privilege Escalation via Weak Service Permissions
- Service DACL Abuse To Hide Services Via Sc.EXE
- Service Registry Key Read Access Request