Service Registry Permissions Weakness
|Service Registry Permissions Weakness|
|Tactic||Persistence, Privilege Escalation|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|System Requirements||Ability to modify a service binPath value in the Registry|
|Permissions Required||Administrator, SYSTEM|
|Data Sources||Windows Registry, Services, Process command-line parameters|
If the permissions for users and groups to access the binPath/ImagePath Registry value for a service are not properly secured, adversaries can change the path to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute.
Identify and block potentially malicious software that may be executed through service abuse by using whitelisting1 tools like AppLocker23 that are capable of auditing and/or blocking unknown programs.
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path is changed to a location that is not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information.4 Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.