| Name |
Modification of Windows Service Configuration |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service. |
| Prerequisites |
The adversary must have the capability to write to the Windows Registry on the targeted system. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Determine target system] The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry. |
|
| 2 |
Experiment |
[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the windows registry. |
- Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
- Gain remote access to a system through a variety of means.
|
| 3 |
Exploit |
[Modify windows registry] The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed. |
|
|
| Solutions | Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-284 |
Improper Access Control |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-203 |
An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1574.011 |
Hijack Execution Flow:Service Registry Permissions Weakness |
| 1543.003 |
Create or Modify System Process:Windows Service |
|