SharpUp fails to detect when too permissive ACLs are set on a service's registry key
cnotin opened this issue · 0 comments
There are several ways to exploit weak ACLs on a service, depending on where the ACL is set:
- File ACLs on the service binary file:
- Detected by SharpUp with
GetModifiableServiceBinaries
- Detected by SharpUp with
- Service ACLs on the service itself:
- Detected by SharpUp with
GetModifiableServices
- Detected by SharpUp with
- Registry ACLs on the service's registry key in
HKLM\SYSTEM\CurrentControlSet\Services
- NOT detected by SharpUp (let me know if I'm missing something here)
This technique is described in ATT&CK with ID T1058 and in many other documents and tutorials, e.g. https://labs.mwrinfosecurity.com/assets/1089/original/Windows_Services_-_All_roads_lead_to_SYSTEM-1.1-oct15.pdf in section "2.2 Insecure Registry Permissions".
I confirm that the ACLs on the service itself can be different than the ones set on the registry key of the service.
For example, under HKLM\SYSTEM\CurrentControlSet\Services\<service_name>\
each service has a value entry named ImagePath
that can be changed to start a different service binary file, if the attacker has the proper rights on HKLM\SYSTEM\CurrentControlSet\Services\<service_name>\
and that the service runs as a more privileged user (e.g. SYSTEM).