Service Registry Permissions Weakness - veramine/Detections GitHub Wiki
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions.
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). You can read more about this attack technique at https://attack.mitre.org/wiki/Technique/T1058.
Veramine's detection engine detects service configuration changes via its deep integration with the Windows Service Control Manager. Here is an example of the service configuration changing:
