Skip to content

Hide Navigation Hide TOC

Changing Existing Service ImagePath Value Via Reg.EXE (9b0b7ac3-6223-47aa-a3fd-e8f211e637db)

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Cluster A Galaxy A Cluster B Galaxy B Level
Changing Existing Service ImagePath Value Via Reg.EXE (9b0b7ac3-6223-47aa-a3fd-e8f211e637db) Sigma-Rules Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c) Attack Pattern 1
Services Registry Permissions Weakness - T1574.011 (17cc750b-e95b-4d7d-9dde-49e0de24148c) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2