Detections
Analytics
Hijack Execution Flow: Services File Permissions Weakness
Description
Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Service bin path ACL (folder ACL) | Plugin ID: 65057 |
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Users and Groups | Plugin IDS: 167250, 167251 |
| Tenable Identity Exposure | Active Directory | Authenticated AD User | LDAP | List of Domain Users and Groups |
References
Microsoft Windows SMB Service Config Enumeration
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence, Privilege Escalation, Defense Evasion
Technique: Hijack Execution Flow
Sub-Technique: Services File Permissions Weakness
Platform: Windows
Products Required: Tenable Vulnerability Management or (Tenable Vulnerability Management and Tenable Identity Exposure)
Tenable Release Date: 2023 Q4