Detailed attack pattern

Usable

CAPEC-478: Modification of Windows Service Configuration

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

Last updated June 1, 2026

High

Typical severity

Per MITRE

Low

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-478 (Modification of Windows Service Configuration) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Determine target system] The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.
Step 2
Experiment
[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the windows registry.
- Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
- Gain remote access to a system through a variety of means.
Step 3
Exploit
[Modify windows registry] The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.

What the attacker needs

Prerequisites

The adversary must have the capability to write to the Windows Registry on the targeted system.

Resources required

None: No specialized resources are required to execute this type of attack.

Consequences

What a successful CAPEC-478 attack can achieve.

Execute Unauthorized Commands

Affects: Integrity

By altering specific configuration settings for the service, the adversary could run arbitrary code to be executed.

How to mitigate it

Defenses that reduce the risk of CAPEC-478.

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Terminology & mappings

Mapped taxonomies

ATTACK: Hijack Execution Flow:Service Registry Permissions Weakness (1574.011)
ATTACK: Create or Modify System Process:Windows Service (1543.003)

Frequently asked questions

Common questions about CAPEC-478.

What is CAPEC-478?

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

How does a Modification of Windows Service Configuration attack work?

It typically unfolds over 3 phases. It begins with: [Determine target system] The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.

How do you prevent CAPEC-478?

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

What weaknesses does CAPEC-478 target?

CAPEC-478 exploits 1 CWE weakness, including CWE-284 (Improper Access Control).

How severe is CAPEC-478?

MITRE rates CAPEC-478 as High severity with low likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-478

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing