MITRE ATT&CK Technique
Description
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security) If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:49.119Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows stores local service configuration information in the '
'Registry under '
'<code>HKLM\\SYSTEM\\CurrentControlSet\\Services</code>. The '
"information stored under a service's Registry keys can be "
"manipulated to modify a service's execution parameters "
'through tools such as the service controller, sc.exe, '
'[PowerShell](https://attack.mitre.org/techniques/T1086), or '
'[Reg](https://attack.mitre.org/software/S0075). Access to '
'Registry keys is controlled through Access Control Lists and '
'permissions. (Citation: MSDN Registry Key Security)\n'
'\n'
'If the permissions for users and groups are not properly set '
'and allow access to the Registry keys for a service, then '
'adversaries can change the service binPath/ImagePath to point '
'to a different executable under their control. When the '
'service starts or is restarted, then the adversary-controlled '
'program will execute, allowing the adversary to gain '
'persistence and/or privilege escalation to the account '
'context the service is set to execute under (local/domain '
'account, SYSTEM, LocalService, or NetworkService).\n'
'\n'
'Adversaries may also alter Registry keys associated with '
'service failure parameters (such as '
'<code>FailureCommand</code>) that may be executed in an '
'elevated context anytime the service fails or is '
'intentionally corrupted.(Citation: TrustedSignal Service '
'Failure)(Citation: Twitter Service Recovery Nov 2017)',
'external_references': [{'external_id': 'T1058',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1058'},
{'external_id': 'CAPEC-478',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/478.html'},
{'description': 'Microsoft. (n.d.). Registry Key '
'Security and Access Rights. '
'Retrieved March 16, 2017.',
'source_name': 'MSDN Registry Key Security',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx'},
{'description': 'Hull, D. (2014, May 3). Kansa: '
'Service related collectors and '
'analysis. Retrieved October 10, '
'2019.',
'source_name': 'TrustedSignal Service Failure',
'url': 'https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html'},
{'description': 'The Cyber (@r0wdy_). (2017, November '
'30). Service Recovery Parameters. '
'Retrieved April 9, 2018.',
'source_name': 'Twitter Service Recovery Nov 2017',
'url': 'https://twitter.com/r0wdy_/status/936365549553991680'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'}],
'id': 'attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:39.967Z',
'name': 'Service Registry Permissions Weakness',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Matthew Demaske, Adaptforward',
'Travis Smith, Tripwire'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}