From 82481b9e314aff46b00386953c422cfeb9986eb8 Mon Sep 17 00:00:00 2001
From: sinisterchill <reyyanahmed77@gmail.com>
Date: Thu, 26 Feb 2026 04:07:05 +0530
Subject: [PATCH] persistence: narrow registry-based service detection to
 service-specific values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #1100 — false positive in persist via Windows service rule.

The registry-based detection branch previously matched ANY registry write under
Services\*, which caused false positives for benign operations like modifying
NetBT network parameters (NetbiosOptions under Services\NetBT\Parameters\*).

Added a requirement for service-specific registry value names:
- ImagePath: the service binary path (primary persistence vector)
- ServiceDll: svchost-hosted service DLL path
- FailureCommand: command executed on service failure (abuse vector)

This eliminates false positives from registry writes to service parameter
subkeys that don't control service execution behavior, while preserving
detection of all three main registry-based service persistence techniques.
---
 persistence/service/persist-via-windows-service.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml
index 7bd333ffd..81a483309 100644
--- a/persistence/service/persist-via-windows-service.yml
+++ b/persistence/service/persist-via-windows-service.yml
@@ -40,3 +40,10 @@ rule:
       - and:
         - match: set registry value
         - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
+        - or:
+          - string: /ImagePath/i
+            description: service binary path
+          - string: /ServiceDll/i
+            description: svchost-hosted service DLL
+          - string: /FailureCommand/i
+            description: command run on service failure