Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Sigma rule (View on GitHub)
1title: Potential Persistence Attempt Via Existing Service Tampering
2id: 38879043-7e1e-47a9-8d46-6bec88e201df
3status: test
4description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
5references:
6 - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
7author: Sreeman
8date: 2020-09-29
9modified: 2023-02-04
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.persistence
14 - attack.t1543.003
15 - attack.t1574.011
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_sc:
21 - CommandLine|contains|all:
22 - 'sc '
23 - 'config '
24 - 'binpath='
25 - CommandLine|contains|all:
26 - 'sc '
27 - 'failure'
28 - 'command='
29 selection_reg_img:
30 - CommandLine|contains|all:
31 - 'reg '
32 - 'add '
33 - 'FailureCommand'
34 - CommandLine|contains|all:
35 - 'reg '
36 - 'add '
37 - 'ImagePath'
38 selection_reg_ext:
39 CommandLine|contains:
40 - '.sh'
41 - '.exe'
42 - '.dll'
43 - '.bin$'
44 - '.bat'
45 - '.cmd'
46 - '.js'
47 - '.msh$'
48 - '.reg$'
49 - '.scr'
50 - '.ps'
51 - '.vb'
52 - '.jar'
53 - '.pl'
54 condition: selection_sc or all of selection_reg_*
55falsepositives:
56 - Unknown
57level: medium
References
-
It is not uncommon for APT Groups to modify an existing service on the compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence. Th…
Read More
Related rules
- Changing Existing Service ImagePath Value Via Reg.EXE
- OilRig APT Activity
- OilRig APT Registry Persistence
- OilRig APT Schedule Task Persistence - Security
- OilRig APT Schedule Task Persistence - System