An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.
Description
Attack Execution Flow
3
1
Step 1
Explore[Determine target system] The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.
AI Translation
[Determina il sistema target] L'attaccante deve prima identificare il sistema sul quale desidera modificare il registro. Deve trattarsi di una macchina Windows, poiché questo attacco funziona esclusivamente sul registro di Windows.
2
Step 2
Experiment[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the windows registry.
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
Gain remote access to a system through a variety of means.
AI Translation
[Ottenere l'accesso al sistema] L'avversario deve ottenere l'accesso al sistema in qualche modo in modo da poter modificare il registro di Windows.
Ottenere l'accesso fisico a un sistema attraverso il shoulder surfing di una password o accedendo a un sistema lasciato sbloccato.
Ottenere l'accesso remoto a un sistema attraverso una varietà di metodi.
Attack Techniques
-
Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
-
Gain remote access to a system through a variety of means.IT: Ottenere l'accesso fisico a un sistema tramite shoulder surfing di una password o accedendo a un sistema lasciato sbloccato.
3
Step 3
Exploit[Modify windows registry] The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.
AI Translation
[Modifica del registro di Windows] L'avversario modificherà il registro di Windows cambiando le impostazioni di configurazione di un servizio. In particolare, l'avversario cambierà le impostazioni del percorso per definire un percorso a un binario dannoso da eseguire.
Mitigations
1
Ensure Proper Permissions Are Set For Registry Hives To Prevent Users From Modifying Keys For System Components That May Lead To Privilege Escalation.
Consequences
Security Scopes Affected
Integrity
Potential Impacts
Execute Unauthorized Commands
Relationships
Parent CAPECs
Related ATT&CK Techniques
2
T1543.003
Windows Service
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, …
T1574.011
Services Registry Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in …
Resources Required
1
None: No specialized resources are required to execute this type of attack.