EXPLORE
Sign In
← Back to Explore
T1574.011

Services Registry Permissions Weakness

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be m...

Windows
17
Detections
3
Sources
0
Threat Actors

BY SOURCE

11sigma4elastic2splunk_escu

PROCEDURES (10)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Privilege2 detections

Auto-extracted: 2 detections for privilege

Persist2 detections

Auto-extracted: 2 detections for persist

Privilege2 detections

Auto-extracted: 2 detections for privilege

Aws2 detections

Auto-extracted: 2 detections for aws

Powershell1 detections

Auto-extracted: 1 detections for powershell

Aws1 detections

Auto-extracted: 1 detections for aws

Persist1 detections

Auto-extracted: 1 detections for persist

Registry1 detections

Auto-extracted: 1 detections for registry

DETECTIONS (17)

Abuse of Service Permissions to Hide Services Via Set-Service
sigmahigh
Abuse of Service Permissions to Hide Services Via Set-Service - PS
sigmahigh
Changing Existing Service ImagePath Value Via Reg.EXE
sigmamedium
Persistence via Update Orchestrator Service Hijack
elastichigh
Possible Privilege Escalation via Weak Service Permissions
sigmahigh
Potential Persistence Attempt Via Existing Service Tampering
sigmamedium
Potential Privilege Escalation via Service ImagePath Modification
elasticmedium
Potential Privilege Escalation via Service Permissions Weakness
sigmahigh
Reg exe Manipulating Windows Services Registry Keys
splunk_escu
Service DACL Abuse To Hide Services Via Sc.EXE
sigmahigh
Service Registry Key Read Access Request
sigmalow
Service Registry Permissions Weakness Check
sigmamedium
Service Security Descriptor Tampering Via Sc.EXE
sigmamedium
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
sigmahigh
Unsigned DLL Loaded by Svchost
elasticmedium
Unusual Persistence via Services Registry
elasticlow
Windows Service Creation Using Registry Entry
splunk_escu