Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally speci
title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'add '
- 'SYSTEM\CurrentControlSet\Services\'
- ' ImagePath '
selection_value:
CommandLine|contains|windash: ' -d '
condition: all of selection*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessName endswith "\\reg.exe" and (TargetProcessCommandLine contains "add " and TargetProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Services\\" and TargetProcessCommandLine contains " ImagePath ")) and (TargetProcessCommandLine contains " -d " or TargetProcessCommandLine contains " /d " or TargetProcessCommandLine contains " –d " or TargetProcessCommandLine contains " —d " or TargetProcessCommandLine contains " ―d ")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |