Unusual Persistence via Services Registry Modification

This detection identifies processes that modify the Windows services registry key directly, bypassing the standard Windows APIs. This behavior can signify an adversary’s attempt to establish persistence stealthily by creating new services or altering existing ones in an unexpected manner. The detection logic focuses on changes to the ServiceDLL and ImagePath values within specific registry paths associated with service configurations. This rule is designed for data generated by Elastic Defend and also supports Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon Registry Events. The rule helps security analysts identify potentially malicious activity related to service manipulation, which can lead to persistent access and control over compromised systems. The rule excludes known legitimate processes and paths to minimize false positives, focusing on anomalous registry modifications.

Attack Chain

1. An attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of a vulnerability).
2. The attacker escalates privileges to gain administrative access, allowing them to modify the registry.
3. The attacker directly modifies the HKLM\SYSTEM\ControlSet*\Services\*\ServiceDLL or HKLM\SYSTEM\ControlSet*\Services\*\ImagePath registry keys to point to a malicious DLL or executable.
4. The attacker’s malicious DLL or executable is configured to run as a service, ensuring persistence across system reboots.
5. The compromised service starts automatically during system startup or manually when triggered by the attacker.
6. The malicious service executes arbitrary code, providing the attacker with persistent control over the system.
7. The attacker may use the compromised service to perform further malicious activities, such as data exfiltration or lateral movement.

Impact

Successful exploitation allows attackers to achieve persistence on the compromised system, maintaining access even after reboots or user logoffs. This can lead to long-term control over the system, enabling attackers to perform various malicious activities, including data theft, deployment of ransomware, or use of the system as a foothold for further attacks within the network. The severity is further amplified if critical services are targeted, potentially leading to system instability or denial of service.

Recommendation

• Enable Sysmon registry event logging to capture the necessary data for this detection (Data Source: Sysmon).
• Deploy the provided Sigma rules to your SIEM to detect unusual service registry modifications (Sigma rules).
• Tune the Sigma rules by adding exceptions for legitimate software installations or updates that modify service registry keys directly (Sigma rules).
• Investigate any alerts generated by the Sigma rules, focusing on processes modifying the ServiceDLL or ImagePath registry values (Sigma rules).
• Review endpoint protection policies to ensure that similar unauthorized registry modifications are detected and blocked in the future (Response and remediation).