[metadata] creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/03/06" [rule] author = ["Elastic"] description = """ Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' registry where host.os.type == "windows" and registry.path : ( "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" ) and not registry.data.strings : ( "?:\\windows\\system32\\Drivers\\*.sys", "\\SystemRoot\\System32\\drivers\\*.sys", "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS", "system32\\DRIVERS\\USBSTOR") and not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and not process.executable : ( "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\winsxs\\*\\TiWorker.exe", "?:\\Windows\\System32\\drvinst.exe", "?:\\Windows\\System32\\services.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\System32\\regsvr32.exe") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"