EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Changing Existing Service ImagePath Value Via Reg.EXE

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

MITRE ATT&CK

T1574.011
privilege-escalationdefense-evasionpersistence

Detection Query

selection:
  Image|endswith: \reg.exe
  CommandLine|contains|all:
    - "add "
    - SYSTEM\CurrentControlSet\Services\
    - " ImagePath "
selection_value:
  CommandLine|contains|windash: " -d "
condition: all of selection*

Author

frack113

Created

2021-12-30

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1574.011
Raw Content
title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.persistence
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'add '
            - 'SYSTEM\CurrentControlSet\Services\'
            - ' ImagePath '
    selection_value:
        CommandLine|contains|windash: ' -d '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium