Try it using Invoke-Atomic

Hijack Execution Flow: Services Registry Permissions Weakness

Description from ATT&CK

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the <code>FailureCommand</code> key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)

The <code>Performance</code> key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the <code>Performance</code> key is not already present and if an adversary-controlled user has the <code>Create Subkey</code> permission, adversaries may create the <code>Performance</code> key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)

Adversaries may also add the <code>Parameters</code> key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll</code>.(Citation: malware_hides_service) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Service Registry Permissions Weakness

Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"

Supported Platforms: windows

auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a

Inputs:

Name Description Type Default Value
weak_service_name weak service check String weakservicename

Attack Commands: Run with powershell!

1
2
3
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL

Atomic Test #2 - Service ImagePath Change with reg.exe

Change Service registry ImagePath of a bengin service to a malicious file

Supported Platforms: windows

auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827

Inputs:

Name Description Type Default Value
weak_service_name weak service name String calcservice
weak_service_path weak service path String %windir%\system32\win32calc.exe
malicious_service_path malicious service path String %windir%\system32\cmd.exe

Attack Commands: Run with command_prompt!

1
2
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}"

Cleanup Commands:

1
2
sc.exe delete #{weak_service_name}

Dependencies: Run with powershell!

Description: The service must exist (#{weak_service_name})

Check Prereq Commands:

1
2
if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"

source