Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Registry Persistence via Service in Safe Mode

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Mon Apr 04Updated Wed Oct 221547e27c-3974-43e2-a7d7-7f484fb928ecwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
    selection:
        TargetObject|contains:
            - '\Control\SafeBoot\Minimal\'
            - '\Control\SafeBoot\Network\'
        TargetObject|endswith: '\(Default)'
        Details: 'Service'
    filter_optional_sophos:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\SAVService\(Default)'
            - '\Control\SafeBoot\Network\SAVService\(Default)'
    filter_optional_mbamservice:
        Image|endswith: '\MBAMInstallerService.exe'
        TargetObject|endswith: '\MBAMService\(Default)'
        Details: 'Service'
    filter_optional_hexnode:
        Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
        Details: 'Service'
    condition: selection and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
Testing & Validation

Simulations

atomic-red-teamT1112
View on ART

Windows Add Registry Value to Load Service in Safe Mode without Network

GUID: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5

atomic-red-teamT1112
View on ART

Windows Add Registry Value to Load Service in Safe Mode with Network

GUID: c173c948-65e5-499c-afbe-433722ed5bd4

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
1547e27c-3974-43e2-a7d7-7f484fb928ec
Status
test
Level
high
Type
Detection
Created
Mon Apr 04
Modified
Wed Oct 22
Author
François Hubaut
Path
rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml
Raw Tags
attack.defense-evasionattack.t1564.001
View on GitHub