Skip to content

feat: susp service priv esc and phantom hijack rules #5643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feat: susp service priv esc and phantom hijack rules #5643

wants to merge 5 commits into from

Conversation

@swachchhanda000
Copy link
Collaborator

@swachchhanda000 swachchhanda000 commented Sep 8, 2025
edited
Loading

Summary of the Pull Request

Changelog

new - Service StartType Change for Services Vulnerable to Phantom DLL Hijacking
update - Potential DLL Sideloading Of Non-Existent DLLs From System Folders
new - Suspicious Service Privilege Addition
new - Suspicious Privilege Addition To Existing Service

Example Log Event

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> 
  <EventID Qualifiers="16384">7040</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2025-09-08T05:22:22.9483038Z" /> 
  <EventRecordID>2011</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="836" ThreadID="12500" /> 
  <Channel>System</Channel> 
  <Computer>swachchhanda</Computer> 
  <Security UserID="S-1-5-21-2555720767-1205513275-3893774561-1001" /> 
  </System>
- <EventData>
  <Data Name="param1">Remote Desktop Configuration</Data> 
  <Data Name="param2">demand start</Data> 
  <Data Name="param3">auto start</Data> 
  <Data Name="param4">SessionEnv</Data> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Sep 8, 2025
@swachchhanda000 swachchhanda000 added the Review Needed The PR requires review label Sep 8, 2025
@phantinuss phantinuss requested a review from Copilot September 22, 2025 11:37
Copilot AI reviewed Sep 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds new detection rules for suspicious service privilege modifications and phantom DLL hijacking techniques that threat actors use for privilege escalation and EDR bypass. The changes focus on detecting malicious service configuration changes that could be used to load kernel drivers or perform DLL sideloading attacks.

  • Four new rules for detecting service privilege additions and phantom DLL hijacking abuse
  • One update to an existing image load rule to add correlation with new phantom DLL hijacking rules

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
registry_set_susp_service_privilege_addition.yml New registry-based detection for suspicious privilege additions to services
proc_creation_win_susp_service_privilege_addition.yml New process-based detection for suspicious service privilege modifications
proc_creation_win_sc_service_config_change_for_phatom_dll_hijacking.yml New detection for SC.EXE configuration changes on vulnerable services
win_system_service_starttype_change_for_phatom_dll_abuse.yml New detection for service start type changes on phantom DLL vulnerable services
image_load_side_load_non_existent_dlls.yml Updated to include correlation with new phantom DLL hijacking rule

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

...ows/process_creation/proc_creation_win_sc_service_config_change_for_phatom_dll_hijacking.yml
@@ -0,0 +1,39 @@
title: SC.EXE Config Change for Services Vulnerable to Phantom DLL Hijacking
Copy link

Copilot AI Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent spelling: the title correctly uses 'Phantom' while the description uses 'phatom'. The filename also uses 'phatom' instead of 'phantom'.

Copilot uses AI. Check for mistakes.
.../system/service_control_manager/win_system_service_starttype_change_for_phatom_dll_abuse.yml
@@ -0,0 +1,33 @@
title: Service StartType Change for Services Vulnerable to Phantom DLL Hijacking
Copy link

Copilot AI Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filename contains spelling error: 'phatom' should be 'phantom' to match the correctly spelled title.

Copilot uses AI. Check for mistakes.
rules/windows/registry/registry_set/registry_set_susp_service_privilege_addition.yml
Comment on lines +3 to +5
related:
- id: ad682e11-8144-4de0-aa39-1cfcd5ebb64e
type: similar
Copy link

Copilot AI Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule references itself in the related section (line 4 uses the same ID as line 2). This creates a self-reference which is not meaningful.

Suggested change
related:
- id: ad682e11-8144-4de0-aa39-1cfcd5ebb64e
type: similar

Copilot uses AI. Check for mistakes.
phantinuss
phantinuss reviewed Sep 22, 2025
View reviewed changes
.../system/service_control_manager/win_system_service_starttype_change_for_phatom_dll_abuse.yml
Comment on lines +25 to +26
Provider_Name: 'Service Control Manager'
Param4:
Copy link
Collaborator

@phantinuss phantinuss Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you could add Param3 for matching on switching to "on demand" and "auto start" only.

...ows/process_creation/proc_creation_win_sc_service_config_change_for_phatom_dll_hijacking.yml
Comment on lines +12 to +13
Detects the use of SC.EXE to modify configurations of known services that have been abused by threat actors for phantom dll hijacking.
Since, these services load the phatom dlls, threat actors may modify their configurations to load malicious dlls instead at runtime.
Copy link
Collaborator

@phantinuss phantinuss Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Detects the use of SC.EXE to modify configurations of known services that have been abused by threat actors for phantom dll hijacking.
Since, these services load the phatom dlls, threat actors may modify their configurations to load malicious dlls instead at runtime.
Detects the use of SC.EXE to modify configurations of known services that have been abused by threat actors for phantom DLL hijacking.
Since, these services load the phantom DLLs, threat actors may modify their configurations to load malicious DLLs instead at runtime.

...ows/process_creation/proc_creation_win_sc_service_config_change_for_phatom_dll_hijacking.yml
CommandLine|contains: 'config'
selection_susp_services:
CommandLine|contains:
# Add other services vulnerable to phantom dll hijacking
Copy link
Collaborator

@phantinuss phantinuss Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Add other services vulnerable to phantom dll hijacking
# Add other services vulnerable to phantom DLL hijacking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phantinuss phantinuss phantinuss left review comments

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swachchhanda000 @phantinuss