Navigation :

Registry Keys Used For Privilege Escalation

Description

This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Privilege Escalation

Alert Volume

This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

Event Triggered Execution

Image File Execution Options Injection

MITRE Threat Groups

TEMP.Veles

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

Registry Keys Used For Privilege Escalation Help

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response products, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

   Search

| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) by Registry.dest  Registry.user Registry.registry_path Registry.registry_key_name | `security_content_ctime(lastTime)`  | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_privilege_escalation_filter`
Open in Search