/
registry_set_servicedll_hijack.yml
42 lines (42 loc) · 1.56 KB
/
registry_set_servicedll_hijack.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
title: ServiceDll Hijack
id: 612e47e9-8a59-43a6-b404-f48683f45bd6
status: experimental
description: |
Detects changes to the "ServiceDLL" value related to a service in the registry.
This is often used as a method of persistence.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
author: frack113
date: 2022/02/04
modified: 2024/04/03
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\'
- 'ControlSet'
- '\Services\'
TargetObject|endswith: '\Parameters\ServiceDll'
filter_main_printextensionmanger:
Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
filter_main_domain_controller:
Image: 'C:\Windows\system32\lsass.exe'
TargetObject|endswith: '\Services\NTDS\Parameters\ServiceDll'
Details: '%%systemroot%%\system32\ntdsa.dll'
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_optional_safetica:
Image|endswith: '\regsvr32.exe'
Details: 'C:\Windows\System32\STAgent.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative scripts
- Installation of a service
level: medium