rename rule and enhance metadata

splunk · Jan 9, 2025 · f06f5cd · f06f5cd
1 parent 4ed661a
commit f06f5cd
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/...service_creation_using_registry_entry.yml → ...ons/endpoint/windows_service_creation.yml b/...service_creation_using_registry_entry.yml → ...ons/endpoint/windows_service_creation.yml
@@ -1,11 +1,11 @@
-name: Windows Service Creation Using Registry Entry
+name: Windows Service Creation
 id: 25212358-948e-11ec-ad47-acde48001122
 version: 8
 date: '2025-01-03'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: Anomaly
-description: The following analytic detects the modification of registry keys that define Windows services using reg.exe. This detection leverages Splunk to search for specific keywords in the registry path, value name, and value data fields. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.
+description: The following analytic detects modifications to the "ImagePath" registry value part of registry keys that define Windows services "HKLM\\System\\CurrentControlSet\\Services\\*". This activity can be significant because it indicates potential unauthorized service creation, a common persistence technique used by attackers. If confirmed malicious, this could allow an attacker to maintain access, escalate privileges, or move laterally within the network, leading to data theft, ransomware, or other damaging outcomes.
 data_source:
 - Sysmon EventID 12
 - Sysmon EventID 13
@@ -14,13 +14,12 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   = ImagePath) BY Registry.dest Registry.user Registry.registry_path
   Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
   Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data)
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`'
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   logs with the registry value name, registry path, and registry value data from your
   endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
   Sysmon TA. https://splunkbase.splunk.com/app/5709
-known_false_positives: Third party tools may used this technique to create services
-  but not so common.
+known_false_positives: Third party tools may used this technique to create services but not so common.
 references:
 - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1574.011/T1574.011.md
 drilldown_searches: