EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Service Registry Permissions Weakness Check

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

MITRE ATT&CK

T1574.011
privilege-escalationdefense-evasionpersistence

Detection Query

selection:
  ScriptBlockText|contains|all:
    - get-acl
    - REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\
condition: selection

Author

frack113

Created

2021-12-30

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1574.011stp.2a
Raw Content
title: Service Registry Permissions Weakness Check
id: 95afc12e-3cbb-40c3-9340-84a032e596a3
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.persistence
    - attack.t1574.011
    - stp.2a
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'get-acl'
            - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium