Hijack Execution Flow: Services Registry Permissions Weakness

Description

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows Services ACLPlugin ID: 44401

References

Microsoft Windows SMB Service Config Enumeration

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Persistence, Privilege Escalation, Defense Evasion

Platform: Windows

Tenable Release Date: 2022 Q3