detection.wiki

Detection rules › Sigma

Potential Persistence Attempt Via Existing Service Tampering

Severity
medium
Author
Sreeman
Source
upstream

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1543.003 Create or Modify System Process: Windows Service, T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
Privilege EscalationT1543.003 Create or Modify System Process: Windows Service, T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness
Defense EvasionT1574.011 Hijack Execution Flow: Services Registry Permissions Weakness

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection_sc

or:
CommandLine|contains: 'binpath='
CommandLine|contains: 'config '
CommandLine|contains: 'sc '
CommandLine|contains: 'command='
CommandLine|contains: failure
CommandLine|contains: 'sc '

Stage 2: all of selection_reg_img

or:
CommandLine|contains: FailureCommand
CommandLine|contains: 'add '
CommandLine|contains: 'reg '
CommandLine|contains: ImagePath
CommandLine|contains: 'add '
CommandLine|contains: 'reg '

Stage 3: all of selection_reg_ext

or:
CommandLine|contains: .bat
CommandLine|contains: '.bin$'
CommandLine|contains: .cmd
CommandLine|contains: .dll
CommandLine|contains: .exe
CommandLine|contains: .jar
CommandLine|contains: .js
CommandLine|contains: '.msh$'
CommandLine|contains: .pl
CommandLine|contains: .ps
CommandLine|contains: '.reg$'
CommandLine|contains: .scr
CommandLine|contains: .sh
CommandLine|contains: .vb

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • .bat corpus 8 (sigma 8)
  • .bin$
  • .cmd corpus 5 (sigma 5)
  • .dll corpus 15 (sigma 15)
  • .exe corpus 4 (sigma 4)
  • .jar corpus 2 (sigma 2)
  • .js corpus 6 (sigma 6)
  • .msh$
  • .pl corpus 2 (sigma 2)
  • .ps corpus 3 (sigma 3)
  • .reg$
  • .scr corpus 5 (sigma 5)
  • .sh corpus 2 (sigma 2)
  • .vb corpus 3 (sigma 3)
  • FailureCommand corpus 2 (sigma 2)
  • ImagePath corpus 2 (sigma 2)
  • add corpus 9 (sigma 9)
  • binpath=
  • command=
  • config corpus 2 (sigma 2)
  • failure corpus 2 (sigma 2)
  • reg corpus 3 (sigma 3)
  • sc