Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Sigma rule (View on GitHub)
1title: Potential Persistence Attempt Via Existing Service Tampering
2id: 38879043-7e1e-47a9-8d46-6bec88e201df
3status: test
4description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
5references:
6 - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
7author: Sreeman
8date: 2020-09-29
9modified: 2023-02-04
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.stealth
15 - attack.t1543.003
16 - attack.t1574.011
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_sc:
22 - CommandLine|contains|all:
23 - 'sc '
24 - 'config '
25 - 'binpath='
26 - CommandLine|contains|all:
27 - 'sc '
28 - 'failure'
29 - 'command='
30 selection_reg_img:
31 - CommandLine|contains|all:
32 - 'reg '
33 - 'add '
34 - 'FailureCommand'
35 - CommandLine|contains|all:
36 - 'reg '
37 - 'add '
38 - 'ImagePath'
39 selection_reg_ext:
40 CommandLine|contains:
41 - '.sh'
42 - '.exe'
43 - '.dll'
44 - '.bin$'
45 - '.bat'
46 - '.cmd'
47 - '.js'
48 - '.msh$'
49 - '.reg$'
50 - '.scr'
51 - '.ps'
52 - '.vb'
53 - '.jar'
54 - '.pl'
55 condition: selection_sc or all of selection_reg_*
56falsepositives:
57 - Unknown
58level: medium
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Changing Existing Service ImagePath Value Via Reg.EXE
- Possible Privilege Escalation via Weak Service Permissions
- Potential Privilege Escalation via Service Permissions Weakness