EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Suspicious Activity Using SeCEdit

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

MITRE ATT&CK

T1562.002T1547.001T1505.005T1556.002T1562T1574.007T1564.002T1546.008T1546.007T1547.014T1547.010T1547.002T1557T1082
collectiondiscoverypersistencedefense-evasioncredential-accessprivilege-escalation

Detection Query

selection_img:
  - Image|endswith: \secedit.exe
  - OriginalFileName: SeCEdit
selection_flags_discovery:
  CommandLine|contains|all:
    - /export
    - /cfg
selection_flags_configure:
  CommandLine|contains|all:
    - /configure
    - /db
condition: selection_img and (1 of selection_flags_*)

Author

Janantha Marasinghe

Created

2022-11-18

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.collectionattack.discoveryattack.persistenceattack.defense-evasionattack.credential-accessattack.privilege-escalationattack.t1562.002attack.t1547.001attack.t1505.005attack.t1556.002attack.t1562attack.t1574.007attack.t1564.002attack.t1546.008attack.t1546.007attack.t1547.014attack.t1547.010attack.t1547.002attack.t1557attack.t1082
Raw Content
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.defense-evasion
    - attack.credential-access
    - attack.privilege-escalation
    - attack.t1562.002
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1562
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium