
Summary
This rule detects modifications to the registry ImagePath of default Windows services, which could indicate an attempt at privilege escalation by malicious actors. Attackers with partial system privileges may exploit this by altering the ImagePath to execute unauthorized commands or run executables they control. The rule utilizes Elastic Query Language (EQL) to monitor changes within a specified timeframe and to specific registry keys associated with high-privilege services. It filters out legitimate modifications by verifying that the changes deviate from standard paths, hence focusing on suspicious activities that pose security risks. Triage steps are included within the rule documentation to guide security teams in confirming and investigating such events.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Application Log
- Process
ATT&CK Techniques
- T1543
- T1543.003
- T1574
- T1574.011
- T1569
- T1569.002
Created: 2024-06-05