Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
title: Non-privileged Usage of Reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
status: test
description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((TargetProcessCommandLine contains "reg " and TargetProcessCommandLine contains "add") or (TargetProcessCommandLine contains "powershell" or TargetProcessCommandLine contains "set-itemproperty" or TargetProcessCommandLine contains " sp " or TargetProcessCommandLine contains "new-itemproperty")) and ((TargetProcessIntegrityLevel in~ ("Medium", "S-1-16-8192")) and (TargetProcessCommandLine contains "ControlSet" and TargetProcessCommandLine contains "Services") and (TargetProcessCommandLine contains "ImagePath" or TargetProcessCommandLine contains "FailureCommand" or TargetProcessCommandLine contains "ServiceDLL"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
