EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

ServiceDll Hijack

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

MITRE ATT&CK

T1543.003
persistenceprivilege-escalation

Detection Query

selection:
  TargetObject|contains|all:
    - \System\
    - ControlSet
    - \Services\
  TargetObject|endswith: \Parameters\ServiceDll
filter_main_printextensionmanger:
  Details: C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll
filter_main_domain_controller:
  Image: C:\Windows\system32\lsass.exe
  TargetObject|endswith: \Services\NTDS\Parameters\ServiceDll
  Details: "%%systemroot%%\\system32\\ntdsa.dll"
filter_main_poqexec:
  Image: C:\Windows\System32\poqexec.exe
filter_optional_safetica:
  Image|endswith: \regsvr32.exe
  Details: C:\Windows\System32\STAgent.dll
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

frack113

Created

2022-02-04

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.persistenceattack.privilege-escalationattack.t1543.003
Raw Content
title: ServiceDll Hijack
id: 612e47e9-8a59-43a6-b404-f48683f45bd6
status: test
description: |
    Detects changes to the "ServiceDLL" value related to a service in the registry.
    This is often used as a method of persistence.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
author: frack113
date: 2022-02-04
modified: 2024-04-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\System\'
            - 'ControlSet'
            - '\Services\'
        TargetObject|endswith: '\Parameters\ServiceDll'
    filter_main_printextensionmanger:
        Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
    filter_main_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        TargetObject|endswith: '\Services\NTDS\Parameters\ServiceDll'
        Details: '%%systemroot%%\system32\ntdsa.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_safetica:
        Image|endswith: '\regsvr32.exe'
        Details: 'C:\Windows\System32\STAgent.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative scripts
    - Installation of a service
level: medium