Detection rules › Sigma
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
| Privilege Escalation | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
| Defense Evasion | T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: selection
AccessList|contains: '%%1538'
ObjectName|contains: 'ControlSet\Services\'
ObjectName|contains: '\SYSTEM\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AccessList | match |
|
ObjectName | match |
|