Detectionlowtest
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Center for Threat Informed Defense (CTID) Summiting the Pyramid TeamCreated Thu Sep 2811d00fff-5dc3-428c-8184-801f292faec0windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 4663
ObjectName|contains|all:
- '\SYSTEM\'
- 'ControlSet\Services\'
AccessList|contains: '%%1538' # READ_CONTROL
condition: selectionFalse Positives
Likely from legitimate applications reading their key. Requires heavy tuning
MITRE ATT&CK
Rule Metadata
Rule ID
11d00fff-5dc3-428c-8184-801f292faec0
Status
test
Level
low
Type
Detection
Created
Thu Sep 28
Path
rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.011