← Back to Explore
sigmahighHunting
Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Detection Query
selection_cli:
- CommandLine|contains|all:
- "reg "
- add
- CommandLine|contains:
- powershell
- set-itemproperty
- " sp "
- new-itemproperty
selection_data:
IntegrityLevel:
- Medium
- S-1-16-8192
CommandLine|contains|all:
- ControlSet
- Services
CommandLine|contains:
- ImagePath
- FailureCommand
- ServiceDLL
condition: all of selection_*
Author
Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
Created
2020-10-05
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.persistenceattack.defense-evasionattack.t1112
Raw Content
title: Non-privileged Usage of Reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
status: test
description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: all of selection_*
falsepositives:
- Unknown
level: high