heroui logo

Registry Keys Used For Privilege Escalation

Splunk Security Content

View Source
Summary
This analytic rule detects modifications to the Windows registry keys that are under "Image File Execution Options"—specifically the GlobalFlag and Debugger values—commonly exploited for privilege escalation attacks. It utilizes data from the Endpoint.Registry data model, focusing on Sysmon EventIDs 12 and 13, which log registry changes. Attackers can modify these settings to intercept executable calls, effectively allowing them to inject malicious code into legitimate processes. If such an event is verified as malicious, it could grant attackers elevated privileges, leading to possible system compromise. To implement this detection, proper ingestion of registry logs from endpoints is necessary, specifically using a compatible version of the Sysmon TA.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • Script
ATT&CK Techniques
  • T1546.012
  • T1546
Created: 2024-12-08