Dark Mode
Capec-478 Detail
Modification of Windows Service Configuration
Detailed Software Likelihood: Low Typical Severity: High
Parents: 203
Threats: T62 T68
An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-478 | capec | https://capec.mitre.org/data/definitions/478.html | |
| CWE-284 | cwe | http://cwe.mitre.org/data/definitions/284.html | |
| T1574.011 | ATTACK | https://attack.mitre.org/wiki/Technique/T1574/011 | Hijack Execution Flow:Service Registry Permissions Weakness |
| T1543.003 | ATTACK | https://attack.mitre.org/wiki/Technique/T1543/003 | Create or Modify System Process:Windows Service |
Explore
-
Determine target system: The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.
Experiment
-
Gain access to the system: The adversary needs to gain access to the system in some way so that they can modify the windows registry.
| Techniques |
|---|
| Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked. |
| Gain remote access to a system through a variety of means. |
Exploit
-
Modify windows registry: The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.
- The adversary must have the capability to write to the Windows Registry on the targeted system.
- None: No specialized resources are required to execute this type of attack.
Not present
| Integrity |
|---|
| Execute Unauthorized Commands (By altering specific configuration settings for the service, the adversary could run arbitrary code to be executed.) |
Not present