Techniques
Sample rules
Service Registry Key Read Access Request
- source: sigma
- technicques:
- t1574
- t1574.011
Description
Detects “read access” requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Detection logic
condition: selection
selection:
AccessList|contains: '%%1538'
EventID: 4663
ObjectName|contains|all:
- \SYSTEM\
- ControlSet\Services\