Skip to content
Threat Feed
high advisory

Suspicious ImagePath Service Creation

Adversaries may create or modify Windows services with malicious ImagePath values containing command shells or named pipes to establish persistence or escalate privileges, detected through registry modifications.

This rule identifies suspicious ImagePath values being created in the Windows Registry, specifically those associated with service creation. The rule focuses on registry changes to ImagePath entries, flagging unusual patterns like command shells (e.g., %COMSPEC%) or named pipes (e.g., \\\\.\\pipe\\*), which are often used in stealthy attacks. This activity may indicate an attempt to stealthily persist or escalate privileges through abnormal service creation. The detection logic examines registry paths related to service ImagePaths and looks for specific data strings indicative of malicious activity. Identifying these modifications early can help defenders prevent malicious actors from establishing persistent access to compromised systems. The rule is sourced from Elastic and was last updated on April 7, 2026.

Attack Chain

  1. Initial Access: The attacker gains initial access through unspecified means.
  2. Privilege Escalation (if needed): The attacker elevates privileges using exploits or other techniques.
  3. Service Creation Discovery: The attacker identifies existing services and their configurations in the registry.
  4. Malicious Service Configuration: The attacker modifies the ImagePath of a legitimate or newly created service to point to a malicious executable or script using a command shell (%COMSPEC%) or named pipe.
  5. Registry Modification: The attacker modifies the registry key HKLM\SYSTEM\ControlSet*\Services\*\ImagePath with the malicious ImagePath value.
  6. Service Start: The attacker starts the service, either manually or by waiting for the system to start it automatically.
  7. Code Execution: The malicious executable or script specified in the ImagePath is executed with elevated privileges in the background.
  8. Persistence/Defense Evasion: The malicious service runs persistently, providing the attacker with continued access to the system while potentially evading detection by blending in with legitimate system processes.

Impact

Successful exploitation allows an attacker to establish persistence on a compromised system, enabling them to execute arbitrary code with elevated privileges. This can lead to data theft, system compromise, and further lateral movement within the network. The use of named pipes can also facilitate covert communication channels for command and control. The rule aims to detect these activities before significant damage occurs.

Recommendation

  • Enable Windows Registry event logging, specifically monitoring changes to HKLM\SYSTEM\ControlSet*\Services\*\ImagePath, to detect suspicious ImagePath modifications.
  • Deploy the Sigma rule "Detect Suspicious ImagePath Service Creation with Cmd" to identify malicious ImagePath values containing command shells.
  • Deploy the Sigma rule "Detect Suspicious ImagePath Service Creation with Named Pipes" to identify malicious ImagePath values containing named pipes.
  • Investigate any alerts generated by these rules, focusing on the parent process and user account responsible for the registry change, as suggested in the rule's investigation guide.
  • Implement enhanced monitoring and logging for similar registry changes and suspicious service creations to proactively detect and respond to future threats promptly.
  • Regularly review and update the list of exceptions to ensure they align with current organizational practices and software environments, as mentioned in the false positive analysis.

Detection coverage 2

Detect Suspicious ImagePath Service Creation with Cmd

high

Detects ImagePath values containing %COMSPEC%, indicating potential malicious service creation

sigma tactics: defense_evasion, persistence techniques: T1112, T1543.003 sources: registry_set, windows

Detect Suspicious ImagePath Service Creation with Named Pipes

high

Detects ImagePath values containing named pipes, indicating potential malicious service creation

sigma tactics: defense_evasion, persistence techniques: T1112, T1543.003 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →