← Back to SOC feed Coverage →

Potential Persistence Attempt Via Existing Service Tampering

sigma MEDIUM SigmaHQ
T1543.003T1574.011
imProcessCreate
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-19T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

Detection Rule

Sigma (Original)

title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1543.003
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - CommandLine|contains|all:
              - 'sc '
              - 'config '
              - 'binpath='
        - CommandLine|contains|all:
              - 'sc '
              - 'failure'
              - 'command='
    selection_reg_img:
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'FailureCommand'
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'ImagePath'
    selection_reg_ext:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin$'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh$'
            - '.reg$'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
    condition: selection_sc or all of selection_reg_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessCommandLine contains "sc " and TargetProcessCommandLine contains "config " and TargetProcessCommandLine contains "binpath=") or (TargetProcessCommandLine contains "sc " and TargetProcessCommandLine contains "failure" and TargetProcessCommandLine contains "command=")) or (((TargetProcessCommandLine contains "reg " and TargetProcessCommandLine contains "add " and TargetProcessCommandLine contains "FailureCommand") or (TargetProcessCommandLine contains "reg " and TargetProcessCommandLine contains "add " and TargetProcessCommandLine contains "ImagePath")) and (TargetProcessCommandLine contains ".sh" or TargetProcessCommandLine contains ".exe" or TargetProcessCommandLine contains ".dll" or TargetProcessCommandLine contains ".bin$" or TargetProcessCommandLine contains ".bat" or TargetProcessCommandLine contains ".cmd" or TargetProcessCommandLine contains ".js" or TargetProcessCommandLine contains ".msh$" or TargetProcessCommandLine contains ".reg$" or TargetProcessCommandLine contains ".scr" or TargetProcessCommandLine contains ".ps" or TargetProcessCommandLine contains ".vb" or TargetProcessCommandLine contains ".jar" or TargetProcessCommandLine contains ".pl"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml