Detections
Analytics
Hijack Execution Flow: Services Registry Permissions Weakness
Description
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services ACL | Plugin ID: 44401 |
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Users | Plugin ID: 167250 |
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Groups | Plugin ID: 167251 |
| Tenable Identity Exposure | Active Directory | Authenticated AD User | LDAP | List of Domain Users and Groups |
References
Microsoft Windows SMB Service Config Enumeration
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence, Privilege Escalation, Defense Evasion
Technique: Hijack Execution Flow
Sub-Technique: Services Registry Permissions Weakness
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q3