Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Sigma rule (View on GitHub)
1title: Potential Persistence Attempt Via Existing Service Tampering
2id: 38879043-7e1e-47a9-8d46-6bec88e201df
3status: test
4description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
5references:
6 - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
7author: Sreeman
8date: 2020-09-29
9modified: 2023-02-04
10tags:
11 - attack.persistence
12 - attack.t1543.003
13 - attack.t1574.011
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_sc:
19 - CommandLine|contains|all:
20 - 'sc '
21 - 'config '
22 - 'binpath='
23 - CommandLine|contains|all:
24 - 'sc '
25 - 'failure'
26 - 'command='
27 selection_reg_img:
28 - CommandLine|contains|all:
29 - 'reg '
30 - 'add '
31 - 'FailureCommand'
32 - CommandLine|contains|all:
33 - 'reg '
34 - 'add '
35 - 'ImagePath'
36 selection_reg_ext:
37 CommandLine|contains:
38 - '.sh'
39 - '.exe'
40 - '.dll'
41 - '.bin$'
42 - '.bat'
43 - '.cmd'
44 - '.js'
45 - '.msh$'
46 - '.reg$'
47 - '.scr'
48 - '.ps'
49 - '.vb'
50 - '.jar'
51 - '.pl'
52 condition: selection_sc or all of selection_reg_*
53falsepositives:
54 - Unknown
55level: medium
References
-
It is not uncommon for APT Groups to modify an existing service on the compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence. Th…
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Changing Existing Service ImagePath Value Via Reg.EXE
- CosmicDuke Service Installation