← Back to SOC feed Coverage →

Potential Privilege Escalation via Service Permissions Weakness

sigma HIGH SigmaHQ
T1574.011
imProcessCreate
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-18T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

Detection Rule

Sigma (Original)

title: Potential Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
        CommandLine|contains|all:
            - 'ControlSet'
            - 'services'
        CommandLine|contains:
            - '\ImagePath'
            - '\FailureCommand'
            - '\ServiceDll'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessIntegrityLevel in~ ("Medium", "S-1-16-8192")) and (TargetProcessCommandLine contains "ControlSet" and TargetProcessCommandLine contains "services") and (TargetProcessCommandLine contains "\\ImagePath" or TargetProcessCommandLine contains "\\FailureCommand" or TargetProcessCommandLine contains "\\ServiceDll")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml