← Back to Explore
sigmalowHunting
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Detection Query
selection:
EventID: 4663
ObjectName|contains|all:
- \SYSTEM\
- ControlSet\Services\
AccessList|contains: "%%1538"
condition: selection
Author
Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
Created
2023-09-28
Data Sources
windowssecurity
Platforms
windows
References
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.011
Raw Content
title: Service Registry Key Read Access Request
id: 11d00fff-5dc3-428c-8184-801f292faec0
status: test
description: |
Detects "read access" requests on the services registry key.
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
references:
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-28
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.011
logsource:
product: windows
service: security
definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
detection:
selection:
EventID: 4663
ObjectName|contains|all:
- '\SYSTEM\'
- 'ControlSet\Services\'
AccessList|contains: '%%1538' # READ_CONTROL
condition: selection
falsepositives:
- Likely from legitimate applications reading their key. Requires heavy tuning
level: low