Potential Privilege Escalation via Service Permissions Weakness

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.011 ·

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

Sigma rule (View on GitHub)

 1title: Potential Privilege Escalation via Service Permissions Weakness
 2id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
 3status: test
 4description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 7    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
 8author: Teymur Kheirkhabarov
 9date: 2019-10-26
10modified: 2024-12-01
11tags:
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.execution
15    - attack.stealth
16    - attack.t1574.011
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection:
22        IntegrityLevel:
23            - 'Medium'
24            - 'S-1-16-8192'
25        CommandLine|contains|all:
26            - 'ControlSet'
27            - 'services'
28        CommandLine|contains:
29            - '\ImagePath'
30            - '\FailureCommand'
31            - '\ServiceDll'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high

Potential Privilege Escalation via Service Permissions Weakness

Sigma rule (View on GitHub)

References

https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment

https://pentestlab.blog/2017/03/31/insecure-registry-permissions/

Related rules