/
windows_service_creation_using_registry_entry.yml
78 lines (78 loc) · 3.51 KB
/
windows_service_creation_using_registry_entry.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: Windows Service Creation Using Registry Entry
id: 25212358-948e-11ec-ad47-acde48001122
version: 3
date: '2023-04-27'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects when reg.exe modify registry keys that
define Windows services and their configurations in Windows to detect potential
threats earlier and mitigate the risks. This detection is made by a Splunk query
that searches for specific keywords in the process name, parent process name, user,
and process ID. This detection is important because it suggests that an attacker
has modified the registry keys that define Windows services and their configurations,
which can allow them to maintain access to the system and potentially move laterally
within the network. It is a common technique used by attackers to gain persistence
on a compromised system and its impact can lead to data theft, ransomware, or other
damaging outcomes. False positives can occur since legitimate uses of reg.exe to
modify registry keys for Windows services can also trigger this alert. Next steps
include reviewing the process and user context of the reg.exe activity and identify
any other concurrent processes that might be associated with the attack upon triage.
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name
= ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path
Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the registry value name, registry path, and registry value data from your
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
Sysmon TA. https://splunkbase.splunk.com/app/5709
known_false_positives: Third party tools may used this technique to create services
but not so common.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md
tags:
analytic_story:
- Active Directory Lateral Movement
- Suspicious Windows Registry Activities
- Windows Persistence Techniques
- Windows Registry Abuse
- Brute Ratel C4
- PlugX
- CISA AA23-347A
asset_type: Endpoint
confidence: 80
impact: 80
message: A Windows Service was created on a endpoint from $dest$ using a registry
entry
mitre_attack_id:
- T1574.011
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Registry.dest
- Registry.registry_value_name
- Registry.registry_key_name
- Registry.registry_path
- Registry.registry_value_data
- Registry.process_guid
risk_score: 64
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog