Esc

Services Registry Permissions Weakness - T1574.011

(ATT&CK® Technique)

Definition

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1574011["Services Registry Permissions Weakness"] --> |modifies| SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class T1574011 OffensiveTechniqueNode;
        class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord";
        click T1574011 href "/offensive-technique/attack/T1574.011/"; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord";             SystemInitConfigAnalysis["System Init Config Analysis"] -->
          | analyzes | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];

          SystemInitConfigAnalysis["System Init Config Analysis"] -.->
            | may-detect | T1574011["Services Registry Permissions Weakness"] ;
          class SystemInitConfigAnalysis DefensiveTechniqueNode;
          class SystemConfigurationInitDatabaseRecord ArtifactNode;
          click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis";            RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1574011["Services Registry Permissions Weakness"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationInitDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";

json