Detects malicious or suspicious processes that try to hide their true nature by using registry keys. Looks for processes that use the "reg add" command that would modify the registry, and have an 'ImagePath' or a 'FailureCommand'. The added image / values to the registry keys will results in payload to be run.
Credit(s): Sreeman
Example:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v FailureCommand /t REG_SZ /d "C:\tmp\Malicious filename.exe"
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v ImagePath /t REG_SZ /d "C:\tmp\Malicious filename.exe"
Reference:
https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml#L7
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
Related
NA
{{mitre("T1543.003")}}
{{mitre("T1574.011")}}
Data Source(s): Process
let selection_reg_img1 = dynamic(['reg ','add ','FailureCommand']);
let selection_reg_img2 = dynamic(['reg ','add ','ImagePath']);
let selection_reg_ext = dynamic(['.sh', '.exe','.dll','.bin$','.bat','.cmd','.js','.msh$','.reg$','.scr','.ps','.vb','.jar','.pl']);
DeviceProcessEvents
| where (ProcessCommandLine has_all (selection_reg_img1) and ProcessCommandLine has_all (selection_reg_img2) and ProcessCommandLine has_any (selection_reg_ext))
- Examine the processes using the "reg add" command, if it's suspicious
- Determine the executable locations, if it is expected
- If suspicious, cross check the file hash values, if its malicious
- Legitimate processes performed by an administrator.
Version 1.0 (date: 07/11/2023)