Technique on mitre.org

T1574.010: Services File Permissions Weakness

Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_privilege_escalation: PT-CR-3069: Intel_ShaderCache_UAC_Bypass: Suspicious activity with the ShaderCache folder used by the Intel UHD Graphics driver: the folder was created, its files were deleted, or its permissions were changed. This may be an attacker's attempt to bypass Windows User Account Control (UAC) by abusing incorrectly set permissions of the ShaderCache folder. vulnerabilities: PT-CR-3064: Subrule_CVE_2025_48799_PrivEsc_Via_Windows_Update_Service: Suspicious activity related to an application or MSI package installation vulnerabilities: PT-CR-3065: CVE_2025_48799_PrivEsc_Via_Windows_Update_Service: Possible exploitation of the CVE-2025-48799 vulnerability. This vulnerability allows attackers to delete the contents of an arbitrary directory and escalate privileges by manipulating the MSI package installation process. Signs of the exploitation include deletion of a rollback script, creation of a rollback file by a process other than Msiexec.exe, and creation of the WuDownloadCache directory followed by the start of a process that triggers an application installation resulting in the deletion of the C:\Config.Msi directory.

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services.

ID	DS0019	Data source and component	Service: Service Metadata	Description	Hashing of binaries and service executables could be used to detect replacement against historical data.

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for creation of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. This behavior also considers files that are overwritten.
DS0022	File: File Modification	Monitor for modification of binaries and service executables that do not occur during a regular software update or an update scheduled by the organization. Modification of files considers actions such as renaming and directory moving.
DS0009	Process: Process Creation	Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services.
DS0019	Service: Service Metadata	Hashing of binaries and service executables could be used to detect replacement against historical data.

Mitigation

ID	M1018	Name	User Account Management	Description	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

ID	M1047	Name	Audit	Description	Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.

ID	M1052	Name	User Account Control	Description	Turn off UAC's privilege elevation for standard users `[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]`to automatically deny elevation requests, add: `"ConsentPromptBehaviorUser"=dword:00000000`. Consider enabling installer detection for all users by adding: `"EnableInstallerDetection"=dword:00000001`. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: `"EnableInstallerDetection"=dword:00000000`. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.

ID	Name	Description
M1018	User Account Management	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
M1047	Audit	Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.
M1052	User Account Control	Turn off UAC's privilege elevation for standard users `[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]`to automatically deny elevation requests, add: `"ConsentPromptBehaviorUser"=dword:00000000`. Consider enabling installer detection for all users by adding: `"EnableInstallerDetection"=dword:00000001`. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: `"EnableInstallerDetection"=dword:00000000`. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.