Service Registry Permissions Weakness Check

 1title: Service Registry Permissions Weakness Check
 2id: 95afc12e-3cbb-40c3-9340-84a032e596a3
 3status: test
 4description: |
 5    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
 6    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
 7    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
10    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
11author: frack113
12date: 2021-12-30
13tags:
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.execution
17    - attack.stealth
18    - attack.t1574.011
19    - stp.2a
20logsource:
21    product: windows
22    category: ps_script
23    definition: 'Requirements: Script Block Logging must be enabled'
24detection:
25    selection:
26        ScriptBlockText|contains|all:
27            - 'get-acl'
28            - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
29    condition: selection
30falsepositives:
31    - Legitimate administrative script
32level: medium