Service Binary in User Controlled Folder
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
TargetObject|contains|all:
- 'ControlSet'
- '\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- ':\ProgramData\'
- '\AppData\Local\'
- '\AppData\Roaming\'
filter_optional_zoom:
TargetObject|contains: '\Services\ZoomCptService'
Details|contains: 'C:\Program Files\Common Files\Zoom\Support\CptService.exe'
filter_optional_mbami:
TargetObject|contains: '\Services\MBAMInstallerService'
Details|contains|all:
- 'C:\Users\'
- 'AppData\Local\Temp\MBAMInstallerService.exe'
filter_main_windefend:
TargetObject|contains:
- '\Services\WinDefend\'
- '\Services\MpKs'
Details|contains: 'C:\ProgramData\Microsoft\Windows Defender\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Techniques
Other
c625c4c2-515d-407f-8bb6-456f65955669