T1543.003 Potential Persistence Attempt Via Existing Service Tampering (reg.exe)
T1543.003 - Potential Persistence Attempt Via Existing Service Tampering (reg.exe)¶
DESCRIPTION¶
Detects malicious or suspicious processes that try to hide their true nature by using registry keys. Looks for processes that use the "reg add" command that would modify the registry, and have an 'ImagePath' or a 'FailureCommand'. The added image / values to the registry keys will results in payload to be run.
Credit(s): Sreeman
Example:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v FailureCommand /t REG_SZ /d "C:\tmp\Malicious filename.exe"
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v ImagePath /t REG_SZ /d "C:\tmp\Malicious filename.exe"
Reference:
https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml#L7
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
Related
NA
ATT&CK TACTICS¶
T1543.003 -
Create or Modify System Process:
Windows Service
T1574.011 -
Hijack Execution Flow:
Services Registry Permissions Weakness
Data Source(s): Process
SENTINEL RULE QUERY¶
Triage¶
- Examine the processes using the "reg add" command, if it's suspicious
- Determine the executable locations, if it is expected
- If suspicious, cross check the file hash values, if its malicious
False Positives¶
- Legitimate processes performed by an administrator.
VERSION¶
Version 1.0 (date: 07/11/2023)