Non-privileged Usage of Reg or Powershell

calendar Mar 5, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Sigma rule (View on GitHub)

 1title: Non-privileged Usage of Reg or Powershell
 2id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
 3status: test
 4description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
 5references:
 6    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
 7author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 8date: 2020/10/05
 9modified: 2022/07/07
10tags:
11    - attack.defense_evasion
12    - attack.t1112
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    reg:
18        CommandLine|contains|all:
19            - 'reg '
20            - 'add'
21    powershell:
22        CommandLine|contains:
23            - 'powershell'
24            - 'set-itemproperty'
25            - ' sp '
26            - 'new-itemproperty'
27    select_data:
28        IntegrityLevel: 'Medium'
29        CommandLine|contains|all:
30            - 'ControlSet'
31            - 'Services'
32        CommandLine|contains:
33            - 'ImagePath'
34            - 'FailureCommand'
35            - 'ServiceDLL'
36    condition: (reg or powershell) and select_data
37fields:
38    - EventID
39    - IntegrityLevel
40    - CommandLine
41falsepositives:
42    - Unknown
43level: high

References

  • ÿØÿàJFIFÿâICC_PROFILE lcmsmntrRGB XYZ Ü)9acspAPPLöÖÓ-lcms descü^cprt\ wtpthbkpt|rXYZ�gXYZ¤bXYZ¸rTRCÌ@gTRCÌ@bTRCÌ@descc2textFBXYZ öÖÓ-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...


    Read More

Related rules

to-top