Startup State Changed For Remote Registry Service - Registry

Rule Info

Name
Startup State Changed For Remote Registry Service - Registry
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects changes to "Remote Registry" service startup status. Where the status has been changed from a "disabled" state to any other state such as "manual" or "automatic". If not authorized this action can indicate a potential lateral movement activity being in-progress, as the "Remote Registry" service enables remote users to modify registry settings on a computer. Attackers can leverage this in order to manipulate certain value remotely.
Reference
Internal Research
Date
2024-07-09 00:00:00
Modified
None
Id
46e7269a-ad45-4d45-9179-55a6d3c4c014
Tags
attack.defense-evasion attack.t1112
Type
Nextron Sigma feed only (private)

Rule History