Security Event Security Service Registry ACL Modification
Query
let file_names = dynamic(["subinacl.exe", "SetACL.exe"]);
let registry_paths = dynamic([
@"Services\HealthService",
@"Services\Sense",
@"Services\WinDefend",
@"Services\MsSecFlt",
@"Services\DiagTrack",
@"Services\SgrmBroker",
@"Services\SgrmAgent",
@"Services\AATPSensorUpdater",
@"Services\AATPSensor",
@"Services\mpssvc"
]);
let parameters = dynamic([
@"/deny=SYSTEM",
@"/deny=S-1-5-18",
@"/grant=SYSTEM=r",
@"/grant=S-1-5-18=r",
@"n:SYSTEM;p:READ",
@"n1:SYSTEM;ta:remtrst;w:dacl"
]);
union
(
SecurityEvent
| where EventID == 4688
| where Process has_any (file_names) and CommandLine has_any (registry_paths) and CommandLine has_any (parameters)
| project
TimeGenerated,
Computer,
Account,
AccountType,
SubjectLogonId,
TargetAccount,
Activity,
NewProcessName,
CommandLine
),
(
SecurityEvent
| where EventID == 4670
| where ObjectType == "Key"
| mv-apply Auxiliar = parse_xml(EventData)["EventData"]["Data"] on (
summarize BagToUnpack = make_bag(bag_pack(tostring(Auxiliar["@Name"]), tostring(Auxiliar["#text"])))
)
| evaluate bag_unpack(BagToUnpack, columnsConflict="keep_source"): (TimeGenerated: datetime, Computer: string, Account: string, AccountType: string, SubjectLogonId: string, Activity: string, ProcessName: string, ObjectType: string, ObjectName: string, EventData: string, OldSd: string, NewSd: string)
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070?redirectedfrom=MSDN
| extend EntryType = substring(OldSd, 0, 1)
//| where EntryType == "D"
| extend
RemovedSd = iff(EntryType in ("O", "G"), split(OldSd, ":", 1), extract_all(@"\(([^\)]+)\)", OldSd)),
AddedSd = iff(EntryType in ("O", "G"), split(NewSd, ":", 1), extract_all(@"\(([^\)]+)\)", NewSd))
| extend
RemovedSd = iff(EntryType in ("O", "G"), RemovedSd, set_difference(RemovedSd, AddedSd)),
AddedSd = iff(EntryType in ("O", "G"), AddedSd, set_difference(AddedSd, RemovedSd))
| mv-expand RemovedSd to typeof(string)
| where RemovedSd endswith "SY"
| mv-expand AddedSd = iff(array_length(AddedSd) == 0, dynamic([""]), AddedSd) to typeof(string)
| where isempty(AddedSd) or AddedSd endswith "SY"
| where case(
isempty(AddedSd), true, // Local System access was removed
RemovedSd startswith "A" and AddedSd startswith "D", true, // Local System was denied
RemovedSd contains "KA" and not(AddedSd contains "KA"), true, // Local System Key All Access was removed
false
)
| project
TimeGenerated,
Computer,
Account,
AccountType,
SubjectLogonId,
Activity,
ProcessName,
ObjectType,
ObjectName,
EntryType,
OldSd,
NewSd,
RemovedSd,
AddedSd,
EventData
)Explanation
This KQL query is designed to detect suspicious activities related to changes in system permissions, specifically focusing on certain processes and registry keys. Here's a simplified breakdown:
-
Define Lists:
file_names: A list of executable files (subinacl.exe,SetACL.exe) that are often used to modify permissions.registry_paths: A list of registry paths related to various Windows services that are critical for system security and monitoring.parameters: A list of command-line parameters that might indicate permission changes, such as denying or granting access to the SYSTEM account.
-
Query Security Events:
- The query looks at two types of security events:
- EventID 4688: This event logs the creation of new processes. The query checks if any of the specified executables (
file_names) are run with command lines that include the specified registry paths and parameters. If found, it extracts and displays relevant details like the time, computer, account, and command line used. - EventID 4670: This event logs changes to object permissions. The query focuses on registry keys (
ObjectType == "Key") and examines changes in security descriptors (SDs) to detect if access for the Local System account was removed or denied. It analyzes the old and new security descriptors to identify such changes and displays relevant details.
- EventID 4688: This event logs the creation of new processes. The query checks if any of the specified executables (
- The query looks at two types of security events:
-
Output:
- The query outputs details of any detected events, including the time they occurred, the computer involved, the account used, and specifics about the process or object affected.
Overall, this query is used to monitor and alert on potential unauthorized changes to critical system permissions, which could indicate malicious activity or misconfigurations.
Details

Jose Sebastián Canós
Released: February 19, 2025
Tables
SecurityEvent
Keywords
SecurityEvent
Operators
letdynamicunionwherehas_anyprojectmv-applyparse_xmlsummarizemake_bagbag_packtostringevaluatebag_unpackextendsubstringiffsplitextract_allset_differencemv-expandendswitharray_lengthisemptycasestartswithcontains