T1574.011 IBM QRadar · QRadar

Detect Services Registry Permissions Weakness in IBM QRadar

Adversaries may redirect service execution by exploiting weak permissions on service registry keys under HKLM\SYSTEM\CurrentControlSet\Services. Unlike modifying the binary, this approach modifies the registry value (ImagePath or BinPath) to point to a malicious executable. Additionally, the FailureCommand key can trigger malicious execution when a service fails, and the Performance DLL key can be used for DLL injection. The WinSock2\Parameters\AutodialDLL vector allows persistence via a DLL loaded every time the Winsock2 library is invoked. Vulnerability in RpcEptMapper service allowed non-admin users to create a Performance subkey, loading a DLL in any process using the RPC endpoint mapper.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.011 Services Registry Permissions Weakness
Canonical reference
https://attack.mitre.org/techniques/T1574/011/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS
high severity high confidence

QRadar AQL detection for Services Registry Permissions Weakness. Detects non-privileged modifications to service registry keys under HKLM\CurrentControlSet\Services. Focuses on critical value names: ImagePath (execution path), FailureCommand (executed on service fa

Data Sources

Sysmon Event ID 1Sysmon Event ID 11

Required Tables

events

False Positives & Tuning

  • Legitimate multi-stage installer processes that modify binaries during installation
  • Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
  • Self-updating applications modifying their own components
  • Antivirus software modifying installer files during remediation
Download portable Sigma rule (.yml)

Other platforms for T1574.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Modify Service ImagePath via Registry (Non-Admin Demonstration)

    Expected signal: Sysmon Event ID 13 (Registry Value Set) if the modification succeeds. reg.exe process creation events. If access is denied (correct behavior), only the query event fires. Security Event ID 4663 if registry auditing is enabled.

  2. Test 2Set Malicious FailureCommand on Test Service

    Expected signal: Sysmon Event ID 13: FailureCommand registry value set under Services\FailureCmdTest\Parameters. Security Event ID 7045 (service installed). Process creation events for sc.exe. The FailureCommand would execute when sc stop FailureCmdTest is called and the service fails to stop cleanly.

  3. Test 3Check WinSock2 AutodialDLL Registry Value

    Expected signal: reg.exe process creation. Registry read operation on WinSock2\Parameters. If the value were set (not in this test), every process using Winsock2 would load the specified DLL.

Last updated: 2026-03-11 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1574.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.010Services File Permissions WeaknessT1574.009Path Interception by Unquoted PathT1543.003Windows ServiceT1112Modify RegistryT1562.001Disable or Modify Tools

Same Tactic: Persistence

Popular Detections