Potential Service ImagePath Value Tampering

Rule Info

Name
Potential Service ImagePath Value Tampering
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects potential tampering of the ImagePath of some built-in and third party services. Attackers sometimes tamper with the an existing service "ImagePath" instead of creating a new one to avoid raising "New Service Creation" events alerts and avoid defenses. This rule uses a baseline of services "ImagePath" values and triggers if there are any anomalies.
Reference
Internal Research
Date
2024-07-10 00:00:00
Modified
None
Id
43ed5a2a-a799-4e75-9492-0fe47c8a279f
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022