Non-privileged Usage of Reg or Powershell

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Sigma rule (View on GitHub)

 1title: Non-privileged Usage of Reg or Powershell
 2id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
 3status: test
 4description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
 7author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 8date: 2020-10-05
 9modified: 2024-12-01
10tags:
11    - attack.defense-evasion
12    - attack.t1112
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_cli:
18        - CommandLine|contains|all:
19              - 'reg '
20              - 'add'
21        - CommandLine|contains:
22              - 'powershell'
23              - 'set-itemproperty'
24              - ' sp '
25              - 'new-itemproperty'
26    selection_data:
27        IntegrityLevel:
28            - 'Medium'
29            - 'S-1-16-8192'
30        CommandLine|contains|all:
31            - 'ControlSet'
32            - 'Services'
33        CommandLine|contains:
34            - 'ImagePath'
35            - 'FailureCommand'
36            - 'ServiceDLL'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: high

References

Related rules

to-top