Non-privileged Usage of Reg or Powershell

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Sigma rule (View on GitHub)

 1title: Non-privileged Usage of Reg or Powershell
 2id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
 3status: test
 4description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
 7author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 8date: 2020-10-05
 9modified: 2024-12-01
10tags:
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.t1112
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_cli:
19        - CommandLine|contains|all:
20              - 'reg '
21              - 'add'
22        - CommandLine|contains:
23              - 'powershell'
24              - 'set-itemproperty'
25              - ' sp '
26              - 'new-itemproperty'
27    selection_data:
28        IntegrityLevel:
29            - 'Medium'
30            - 'S-1-16-8192'
31        CommandLine|contains|all:
32            - 'ControlSet'
33            - 'Services'
34        CommandLine|contains:
35            - 'ImagePath'
36            - 'FailureCommand'
37            - 'ServiceDLL'
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: high

References

  • ÿØÿàJFIFÿâICC_PROFILE lcmsmntrRGB XYZ Ü)9acspAPPLöÖÓ-lcms descü^cprt\ wtpthbkpt|rXYZ�gXYZ¤bXYZ¸rTRCÌ@gTRCÌ@bTRCÌ@descc2textFBXYZ öÖÓ-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...


    Read More

Related rules

to-top