Suspicious ImagePath Service Creation in Registry

This rule identifies suspicious modifications to the ImagePath registry value associated with Windows services. Attackers may modify this value to execute arbitrary code with elevated privileges, achieving persistence or escalating privileges. The detection focuses on detecting ImagePath values that include command interpreters like cmd.exe or PowerShell, or that point to local named pipes. This is indicative of unusual service configurations and potential malicious intent. The rule aims to detect these types of malicious modifications to the ImagePath registry key and alert security teams to investigate potential persistence mechanisms. The rule covers a wide range of sources like Elastic Endpoint, Sysmon, Microsoft Defender XDR, SentinelOne, and Crowdstrike.

Attack Chain

1. Attacker gains initial access to the system (e.g., via compromised credentials or vulnerability exploitation).
2. Attacker elevates privileges to Administrator or SYSTEM to modify service configurations.
3. Attacker modifies the ImagePath registry value for an existing or newly created service using tools like reg.exe or PowerShell.
4. The ImagePath is set to execute a command interpreter (cmd.exe, powershell.exe) or a malicious script.
5. Alternatively, the ImagePath is set to point to a named pipe, allowing the attacker to execute code when the service starts and connects to the pipe.
6. The attacker ensures the service is configured to start automatically.
7. When the system restarts or the service is manually started, the malicious code in the ImagePath is executed with SYSTEM privileges.
8. The attacker achieves persistence and can perform malicious activities such as installing malware, stealing credentials, or establishing a command-and-control channel.

Impact

Successful exploitation allows attackers to achieve persistent access to the compromised system with SYSTEM privileges. This can lead to complete system compromise, data theft, installation of ransomware, or use of the system as a foothold for further attacks within the network. The high privileges associated with services make this persistence mechanism particularly dangerous.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect suspicious ImagePath modifications in registry events.
• Enable Sysmon registry event logging to capture the required data for the Sigma rules to function correctly.
• Investigate any alerts generated by the Sigma rules, focusing on the process that modified the ImagePath and the content of the registry.data.strings field.
• Implement strict access controls for service creation and modification to prevent unauthorized changes to service configurations.
• Monitor process execution and network connections originating from processes launched via the modified ImagePath to identify malicious activity.
• Consider using application control solutions to restrict the execution of unauthorized command interpreters or scripts from within service contexts.