Hijack Execution Flow: Services File Permissions Weakness


Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBService bin path ACL (folder ACL)Plugin ID: 65057
Tenable Vulnerability ManagementAD Start or Identity ScanActive DirectoryAuthenticated AD UserLDAPList of Domain Users and GroupsPlugin IDS: 167250, 167251
Tenable Identity ExposureActive DirectoryAuthenticated AD UserLDAPList of Domain Users and Groups


Microsoft Windows SMB Service Config Enumeration

LDAP Active Directory - Person Enumeration

LDAP Active Directory - Group Enumeration

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Persistence, Privilege Escalation, Defense Evasion

Platform: Windows

Tenable Release Date: 2023 Q4