Query Details
Hunting For Registry Artifacts Of Service Creation
Query
**Hunting for registry artifacts of service creation** This query helps to identify service creation events regardless of the tool/method used for service creation (even if the threat actors use the Windows API directly, without leaving any command line traces). ``` DeviceRegistryEvents | where ActionType has "RegistryKeyCreated" and RegistryValueName contains "\\service\\" and (RegistryValueData has "ImagePath" or RegistryValueData has "ServiceDll") ```
Explanation
This query is designed to detect the creation of new services on a Windows system by examining registry events. It specifically looks for registry keys that are created and contain the term "\service\" in their name. Additionally, it checks if the registry data includes either "ImagePath" or "ServiceDll," which are indicators of service configuration. This approach helps in identifying service creation activities, even if they are done using methods that don't leave command line traces, such as direct Windows API calls.
Details
Sergio Albea
Released: December 13, 2024
Tables
DeviceRegistryEvents
Keywords
DeviceRegistryEventsActionTypeRegistryKeyCreatedRegistryValueNameRegistryValueDataImagePathServiceDll
Operators
DeviceRegistryEvents|wherehasandcontains\\service\\or