Esc

Executable Installer File Permissions Weakness - T1574.005

(ATT&CK® Technique)

Definition

Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1574005["Executable Installer File Permissions Weakness"] --> |modifies| ServiceApplication["Service Application"]; class T1574005 OffensiveTechniqueNode;
        class ServiceApplication ArtifactNode; click ServiceApplication href "/dao/artifact/d3f:ServiceApplication";
        click T1574005 href "/offensive-technique/attack/T1574.005/"; click ServiceApplication href "/dao/artifact/d3f:ServiceApplication";             SoftwareUpdate["Software Update"] -->
          | updates | ServiceApplication["Service Application"];

          SoftwareUpdate["Software Update"] -.->
            | may-harden | T1574005["Executable Installer File Permissions Weakness"] ;
          class SoftwareUpdate DefensiveTechniqueNode;
          class ServiceApplication ArtifactNode;
          click SoftwareUpdate href "/technique/d3f:SoftwareUpdate";   RestoreSoftware["Restore Software"] -->
          | restores | ServiceApplication["Service Application"];

          RestoreSoftware["Restore Software"] -.->
            | may-restore | T1574005["Executable Installer File Permissions Weakness"] ;
          class RestoreSoftware DefensiveTechniqueNode;
          class ServiceApplication ArtifactNode;
          click RestoreSoftware href "/technique/d3f:RestoreSoftware"; ServiceBinaryVerification["Service Binary Verification"] -->
          | verifies | ServiceApplication["Service Application"];

          ServiceBinaryVerification["Service Binary Verification"] -.->
            | may-detect | T1574005["Executable Installer File Permissions Weakness"] ;
          class ServiceBinaryVerification DefensiveTechniqueNode;
          class ServiceApplication ArtifactNode;
          click ServiceBinaryVerification href "/technique/d3f:ServiceBinaryVerification";

json