T1574.010 Services File Permissions Weakness Mappings

Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1574.010 Services File Permissions Weakness
AC-3 Access Enforcement Protects T1574.010 Services File Permissions Weakness
AC-4 Information Flow Enforcement Protects T1574.010 Services File Permissions Weakness
AC-5 Separation of Duties Protects T1574.010 Services File Permissions Weakness
AC-6 Least Privilege Protects T1574.010 Services File Permissions Weakness
CA-8 Penetration Testing Protects T1574.010 Services File Permissions Weakness
CM-2 Baseline Configuration Protects T1574.010 Services File Permissions Weakness
CM-5 Access Restrictions for Change Protects T1574.010 Services File Permissions Weakness
CM-6 Configuration Settings Protects T1574.010 Services File Permissions Weakness
IA-2 Identification and Authentication (organizational Users) Protects T1574.010 Services File Permissions Weakness
RA-5 Vulnerability Monitoring and Scanning Protects T1574.010 Services File Permissions Weakness
SI-4 System Monitoring Protects T1574.010 Services File Permissions Weakness
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1574.010 Hijack Execution Flow: Services File Permissions Weakness