EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential Privilege Escalation via Service Permissions Weakness

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

MITRE ATT&CK

T1574.011
persistencedefense-evasionprivilege-escalation

Detection Query

selection:
  IntegrityLevel:
    - Medium
    - S-1-16-8192
  CommandLine|contains|all:
    - ControlSet
    - services
  CommandLine|contains:
    - \ImagePath
    - \FailureCommand
    - \ServiceDll
condition: selection

Author

Teymur Kheirkhabarov

Created

2019-10-26

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.persistenceattack.defense-evasionattack.privilege-escalationattack.t1574.011
Raw Content
title: Potential Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1574.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
        CommandLine|contains|all:
            - 'ControlSet'
            - 'services'
        CommandLine|contains:
            - '\ImagePath'
            - '\FailureCommand'
            - '\ServiceDll'
    condition: selection
falsepositives:
    - Unknown
level: high