Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Sigma rule (View on GitHub)
1title: Non-privileged Usage of Reg or Powershell
2id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
3status: test
4description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
5references:
6 - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
7author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
8date: 2020/10/05
9modified: 2022/07/07
10tags:
11 - attack.defense_evasion
12 - attack.t1112
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 reg:
18 CommandLine|contains|all:
19 - 'reg '
20 - 'add'
21 powershell:
22 CommandLine|contains:
23 - 'powershell'
24 - 'set-itemproperty'
25 - ' sp '
26 - 'new-itemproperty'
27 select_data:
28 IntegrityLevel: 'Medium'
29 CommandLine|contains|all:
30 - 'ControlSet'
31 - 'Services'
32 CommandLine|contains:
33 - 'ImagePath'
34 - 'FailureCommand'
35 - 'ServiceDLL'
36 condition: (reg or powershell) and select_data
37fields:
38 - EventID
39 - IntegrityLevel
40 - CommandLine
41falsepositives:
42 - Unknown
43level: high
References
Related rules
- Suspicious VBoxDrvInst.exe Parameters
- Run Once Task Execution as Configured in Registry
- ShimCache Flush
- Removal of Potential COM Hijacking Registry Keys
- Terminal Server Client Connection History Cleared - Registry