Detect Services Registry Permissions Weakness in Sumo Logic CSE
Adversaries may redirect service execution by exploiting weak permissions on service registry keys under HKLM\SYSTEM\CurrentControlSet\Services. Unlike modifying the binary, this approach modifies the registry value (ImagePath or BinPath) to point to a malicious executable. Additionally, the FailureCommand key can trigger malicious execution when a service fails, and the Performance DLL key can be used for DLL injection. The WinSock2\Parameters\AutodialDLL vector allows persistence via a DLL loaded every time the Winsock2 library is invoked. Vulnerability in RpcEptMapper service allowed non-admin users to create a Performance subkey, loading a DLL in any process using the RPC endpoint mapper.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.011 Services Registry Permissions Weakness
- Canonical reference
- https://attack.mitre.org/techniques/T1574/011/
Sumo Detection Query
_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount descSumo Logic detection for Services Registry Permissions Weakness. Detects non-privileged modifications to service registry keys under HKLM\CurrentControlSet\Services. Focuses on critical value names: ImagePath (execution path), FailureCommand (executed on service fa
Data Sources
Required Tables
False Positives & Tuning
- Multi-stage installers that legitimately modify components in TEMP during installation
- Enterprise deployment solutions staging installer binaries in temporary locations
- Self-updating applications that patch their own binaries before running them
- Software that extracts and immediately executes components from archives
Other platforms for T1574.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Modify Service ImagePath via Registry (Non-Admin Demonstration)
Expected signal: Sysmon Event ID 13 (Registry Value Set) if the modification succeeds. reg.exe process creation events. If access is denied (correct behavior), only the query event fires. Security Event ID 4663 if registry auditing is enabled.
- Test 2Set Malicious FailureCommand on Test Service
Expected signal: Sysmon Event ID 13: FailureCommand registry value set under Services\FailureCmdTest\Parameters. Security Event ID 7045 (service installed). Process creation events for sc.exe. The FailureCommand would execute when sc stop FailureCmdTest is called and the service fails to stop cleanly.
- Test 3Check WinSock2 AutodialDLL Registry Value
Expected signal: reg.exe process creation. Registry read operation on WinSock2\Parameters. If the value were set (not in this test), every process using Winsock2 would load the specified DLL.
References (6)
- https://attack.mitre.org/techniques/T1574/011/
- https://itm4n.github.io/windows-registry-rpceptmapper-eop/
- https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md
Unlock Pro Content
Get the full detection package for T1574.011 including response playbook, investigation guide, and atomic red team tests.