sigmamediumHunting

Potential Persistence Attempt Via Existing Service Tampering

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

MITRE ATT&CK

T1543.003 T1574.011

privilege-escalationdefense-evasionpersistence

Detection Query

selection_sc:
  - CommandLine|contains|all:
      - "sc "
      - "config "
      - binpath=
  - CommandLine|contains|all:
      - "sc "
      - failure
      - command=
selection_reg_img:
  - CommandLine|contains|all:
      - "reg "
      - "add "
      - FailureCommand
  - CommandLine|contains|all:
      - "reg "
      - "add "
      - ImagePath
selection_reg_ext:
  CommandLine|contains:
    - .sh
    - .exe
    - .dll
    - .bin$
    - .bat
    - .cmd
    - .js
    - .msh$
    - .reg$
    - .scr
    - .ps
    - .vb
    - .jar
    - .pl
condition: selection_sc or all of selection_reg_*

Author

Sreeman

Created

2020-09-29

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/

Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1543.003attack.t1574.011

Raw Content

title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.persistence
    - attack.t1543.003
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - CommandLine|contains|all:
              - 'sc '
              - 'config '
              - 'binpath='
        - CommandLine|contains|all:
              - 'sc '
              - 'failure'
              - 'command='
    selection_reg_img:
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'FailureCommand'
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'ImagePath'
    selection_reg_ext:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin$'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh$'
            - '.reg$'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
    condition: selection_sc or all of selection_reg_*
falsepositives:
    - Unknown
level: medium