security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
36e6f54e43f15b7c6f0cb8636c4fdccc4257e9f5
sigma-rules/rules_building_block/defense_evasion_service_path_registry.toml
T
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
2025-03-26 11:04:14 -04:00

99 lines
2.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/29"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services
for persistence or privilege escalation.
"""
from = "now-119m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Service Path Modification"
risk_score = 21
rule_id = "f243fe39-83a4-46f3-a3b6-707557a102df"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Rule Type: BBR",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type == "change" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath"
) and not (
process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\services.exe",
"?:\\Windows\\WinSxS\\*"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1112"
name = "Modify Registry"
reference = "https://attack.mitre.org/techniques/T1112/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.003"
name = "Windows Service"
reference = "https://attack.mitre.org/techniques/T1543/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink