T1543.003 CobaltStrike ServiceInstallationsInRegistry

T1543.003 - CobaltStrike: Service Installations in Registry

DESCRIPTION

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Example:

"HKLM\System\ControlSet001\Services" or "HKLM\System\ControlSet002\Services"

Reference:

https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml

Related

CobaltStrike - Persistence Registry_set

ATT&CK TACTICS

T1543.003 - Create or Modify System Process: Windows Service

Data Source(s): registry_set

SENTINEL RULE QUERY

let selection_1 = dynamic(['.exe','ADMIN$']); 
let selection_2 = dynamic(['powershell','start','%COMSPEC%']); 
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (@'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services', @'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services', @'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services') 
| where RegistryValueData has_all (selection_1) or RegistryValueData has_all (selection_2)

Triage

1. Analyse the ActionType field for services being installed and modified and if its legit/expected activity.
2. Check the commandlines if the file executed is genuine and is located in valid location, else maybe sign of malware infection.

VERSION

Version 1.0 (date: 25/10/2023)