T1574.011 Services Registry Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
. The information stored under a service’s Registry keys can be manipulated to modify a service’s execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. 64
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service’s binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand
key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.31
The Performance
key contains the name of a driver service’s performance DLL and the names of several exported functions in the DLL.7 If the Performance
key is not already present and if an adversary-controlled user has the Create Subkey
permission, adversaries may create the Performance
key in the service’s Registry tree to point to a malicious DLL.2
Adversaries may also add the Parameters
key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.78 Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll
.4
Item | Value |
---|---|
ID | T1574.011 |
Sub-techniques | T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013 |
Tactics | TA0003, TA0004, TA0005 |
Platforms | Windows |
Permissions required | Administrator, User |
Version | 1.1 |
Created | 13 March 2020 |
Last Modified | 30 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
C0006 | Operation Honeybee | During Operation Honeybee, the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the svchost.exe process.9 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1024 | Restrict Registry Permissions | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
DS0019 | Service | Service Modification |
DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018. ↩
-
Clément Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021. ↩
-
Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021. ↩↩
-
Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020. ↩
-
Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017. ↩
-
Microsoft. (2021, August 5). HKLM\SYSTEM\CurrentControlSet\Services Registry Tree. Retrieved August 25, 2021. ↩↩
-
Trend Micro. (2012, October 9). TROJ_ZEGOST. Retrieved September 2, 2021. ↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩