Technique on mitre.org

T1574.011: Services Registry Permissions Weakness

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions.

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.

The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL. If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.

Adversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities. Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of events related to modification of keys and value entries of the HKLM\SYSTEM\CurrentControlSet\Services registry tree.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for modification of Registry keys and values used by services such as HKLM\SYSTEM\CurrentControlSet\Services that may allow adversaries to launch their own code when a service starts.

ID	DS0019	Data source and component	Service: Service Modification	Description	Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data.

ID	Data source and component	Description
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for modification of Registry keys and values used by services such as HKLM\SYSTEM\CurrentControlSet\Services that may allow adversaries to launch their own code when a service starts.
DS0019	Service: Service Modification	Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity.
DS0009	Process: Process Creation	Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data.
DS0017	Command: Command Execution	Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data.

Mitigation

ID	M1024	Name	Restrict Registry Permissions	Description	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

ID	Name	Description
M1024	Restrict Registry Permissions	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.