By hijacking the Registry entries utilized by services, attackers can run their malicious payloads. Attackers may use weaknesses in registry permissions to divert from the initially stated executable to one they control upon Service start, allowing them to execute their unauthorized malware.
Practice
An attacker can leverage this misconfiguration to modify the ImagePath of service with the path of the custom malicious executable that will give an escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
We can check our permissions over services registry using one of the following methods:
CMD
#Get the binary paths of the servicesreg query hklm\System\CurrentControlSet\Services /s /v imagepath#Try to write every service with its current content (to check if you have write permissions)for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
Alternativly, we can use AccessChk from sysinternals tools to enum permissions over services.
#List rights for authenticated users on registryaccesschk64.exe/accepteula "authenticated users"-kvuqsw hklm\System\CurrentControlSet\services#List everyone rights on registryaccesschk64.exe/accepteula -kvuqsw hklm\System\CurrentControlSet\services#List everyone rights on specific service registryaccesschk64.exe/accepteula -kvuqsw hklm\System\CurrentControlSet\services\<Name>
