Exploitable Service Misconfigurations

Windows services can be misconfigured in several ways. Attackers can abuse the following conditions.

DLL Hijacking (IMP)

Occurs when a service loads DLLs from directories where attackers can write files.
Attackers places a malicious DLL in the load path, which gets executed under the context of the service.

Insecure Service Permissions (binPath Abuse)

Permissions on the service configuration (especially binPath) allow attackers to change what binary the service runs.

Service Registry Key Permissions

If attackers have write access to service registry keys (e.g. NTLM\SYSTEM\CurrentControlSet\Services\ServiceName). they can change the binary path.

Unquoted Service Path (IMP)

Services with paths that include spaces and are unquoted can be hijacked.
Example : Path = C:\Program Files\Some Service\service.exe Malicious C:\Program.exe can be executed instead.

Insecure File Permissions (Service Executable File Path)

If the binary a servce points to can be overwritten, the attacker can replace it with payload

PreviousService Escalation via Registry NextDynamic Link Library Hijacking (DLL Hijacking)

Last updated 18 days ago