Skip to content
Threat Feed
high advisory

Windows Service Creation via Registry Modification

Detection of registry modifications to create Windows services, a common persistence technique used by attackers to maintain access, escalate privileges, or move laterally within a network.

Attackers often modify the registry to create or configure Windows services for persistence. This technique involves manipulating specific registry keys under HKLM\SYSTEM\CurrentControlSet\Services to define service parameters such as the executable path (ImagePath). By creating or modifying these registry entries, adversaries can ensure their malicious code is executed automatically upon system startup or when a specific service is triggered. This activity is significant because it indicates potential unauthorized changes to service configurations, a common persistence technique used by attackers.

Attack Chain

  1. Attacker gains initial access to the system (e.g., through compromised credentials or exploit).
  2. Attacker uses reg.exe or similar tools to modify the registry.
  3. The attacker navigates to HKLM\SYSTEM\CurrentControlSet\Services.
  4. The attacker creates a new subkey representing a new service or modifies an existing service subkey.
  5. The attacker sets the ImagePath value within the service subkey to point to a malicious executable.
  6. The attacker may also modify other service parameters like DisplayName, Description, or Start type.
  7. The attacker starts the newly created or modified service.
  8. The malicious executable is executed with elevated privileges, providing the attacker with persistent access to the system.

Impact

Successful exploitation allows an attacker to maintain persistent access to the compromised system, escalate privileges, and move laterally within the network. This can lead to data theft, ransomware deployment, or other damaging outcomes. The modification of Windows services can go unnoticed by users, allowing the attacker to operate covertly.

Recommendation

  • Enable Sysmon Event ID 13 (Registry Event) to capture registry modifications.
  • Deploy the Sigma rule "Windows Service Creation Using Registry Entry" to your SIEM to detect suspicious registry modifications related to service creation.
  • Investigate any alerts generated by the Sigma rule to identify potentially malicious service creations.
  • Monitor for unexpected processes being launched as services via registry modifications.
  • Review and harden permissions on registry keys related to service creation to prevent unauthorized modifications.
  • Implement application control to restrict the execution of unauthorized executables as services.

Detection coverage 2

Windows Service Creation Using Registry Entry

high

Detects the modification of registry keys that define Windows services.

sigma tactics: persistence, privilege_escalation techniques: T1574.011 sources: registry_set, windows

Suspicious Registry Modification of Service Start Type

medium

Detects suspicious changes to the Start value of a Windows service, potentially disabling or modifying the service's startup behavior.

sigma tactics: defense_evasion, persistence techniques: T1562.001 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →