T1574.010: Services File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Detection
ID | DS0019 | Data source and component | Service: Service Metadata | Description | Hashing of binaries and service executables could be used to detect replacement against historical data. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. |
---|
ID | M1047 | Name | Audit | Description | Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. |
---|
ID | M1052 | Name | User Account Control | Description | Turn off UAC's privilege elevation for standard users |
---|