title: Services Registry Permissions Weakness (T1574.011)
id: df00tech-t1574-011
status: experimental
description: "Adversaries may redirect service execution by exploiting weak permissions on service registry keys under HKLM\\SYSTEM\\CurrentControlSet\\Services. Unlike modifying the binary, this approach modifies the registry value (ImagePath or BinPath) to point to a malicious executable. Additionally, the FailureCommand key can trigger malicious execution when a service fails, and the Performance DLL key can be used for DLL injection. The WinSock2\\Parameters\\AutodialDLL vector allows persistence via a DLL loaded every time the Winsock2 library is invoked. Vulnerability in RpcEptMapper service allowed non-admin users to create a Performance subkey, loading a DLL in any process using the RPC endpoint mapper."
references:
  - https://attack.mitre.org/techniques/T1574/011/
  - https://df00tech.com/detections/T1574.011
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installers that run under the installer's user context (not SYSTEM) and modify their own service entries"
  - Some enterprise management tools that modify service configurations with user-context credentials
  - Legitimate sc.exe commands run by administrators to reconfigure services
  - "PowerShell remoting sessions that modify services using the remote user's credentials rather than SYSTEM"
level: high