Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Sigma rule (View on GitHub)
1title: Non-privileged Usage of Reg or Powershell
2id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
3status: test
4description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
5references:
6 - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
7author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
8date: 2020-10-05
9modified: 2022-07-07
10tags:
11 - attack.defense-evasion
12 - attack.t1112
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 reg:
18 CommandLine|contains|all:
19 - 'reg '
20 - 'add'
21 powershell:
22 CommandLine|contains:
23 - 'powershell'
24 - 'set-itemproperty'
25 - ' sp '
26 - 'new-itemproperty'
27 select_data:
28 IntegrityLevel: 'Medium'
29 CommandLine|contains|all:
30 - 'ControlSet'
31 - 'Services'
32 CommandLine|contains:
33 - 'ImagePath'
34 - 'FailureCommand'
35 - 'ServiceDLL'
36 condition: (reg or powershell) and select_data
37fields:
38 - EventID
39 - IntegrityLevel
40 - CommandLine
41falsepositives:
42 - Unknown
43level: high
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry