Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Sigma rule (View on GitHub)
1title: Non-privileged Usage of Reg or Powershell
2id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
3status: test
4description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
5references:
6 - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
7author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
8date: 2020-10-05
9modified: 2024-12-01
10tags:
11 - attack.defense-evasion
12 - attack.t1112
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_cli:
18 - CommandLine|contains|all:
19 - 'reg '
20 - 'add'
21 - CommandLine|contains:
22 - 'powershell'
23 - 'set-itemproperty'
24 - ' sp '
25 - 'new-itemproperty'
26 selection_data:
27 IntegrityLevel:
28 - 'Medium'
29 - 'S-1-16-8192'
30 CommandLine|contains|all:
31 - 'ControlSet'
32 - 'Services'
33 CommandLine|contains:
34 - 'ImagePath'
35 - 'FailureCommand'
36 - 'ServiceDLL'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: high
References
Related rules
- Enable LM Hash Storage
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Potentially Suspicious Desktop Background Change Via Registry
- Disable Internal Tools or Feature in Registry
- RestrictedAdminMode Registry Value Tampering