ServiceDll Hijack

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

Sigma rule (View on GitHub)

 1title: ServiceDll Hijack
 2id: 612e47e9-8a59-43a6-b404-f48683f45bd6
 3status: experimental
 4description: |
 5    Detects changes to the "ServiceDLL" value related to a service in the registry.
 6    This is often used as a method of persistence.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
 9    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
10author: frack113
11date: 2022/02/04
12modified: 2024/03/26
13tags:
14    - attack.persistence
15    - attack.privilege_escalation
16    - attack.t1543.003
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|contains|all:
23            - '\System\'
24            - 'ControlSet'
25            - '\Services\'
26        TargetObject|endswith: '\Parameters\ServiceDll'
27    filter_main_printextensionmanger:
28        Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
29    filter_main_domain_controller:
30        Image: 'C:\Windows\system32\lsass.exe'
31        TargetObject|endswith: '\Services\NTDS\Parameters\ServiceDll'
32        Details: '%%systemroot%%\system32\ntdsa.dll'
33    filter_main_poqexec:
34        Image: 'C:\Windows\System32\poqexec.exe'
35    filter_optional_safetica\:
36        Image|endswith: '\regsvr32.exe'
37        Details: 'C:\Windows\System32\STAgent.dll'
38    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
39falsepositives:
40    - Administrative scripts
41    - Installation of a service
42level: medium

References

Related rules

to-top