Detect Executable Installer File Permissions Weakness in IBM QRadar
Adversaries may hijack binaries used by installer processes by exploiting weak file permissions. Installers frequently extract binaries (EXEs, DLLs) to subdirectories within %TEMP% during installation, often with world-writable permissions. An adversary can overwrite these binaries before the installer executes them, gaining code execution at the installer's privilege level (often SYSTEM or elevated due to UAC elevation). This technique also applies to existing installed software where the binary or its directory has incorrect permissions allowing non-admin users to overwrite it. Mustang Panda has leveraged legitimate installer executables (e.g., Setup Factory IRSetup.exe) to deploy payloads.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.005 Executable Installer File Permissions Weakness
- Canonical reference
- https://attack.mitre.org/techniques/T1574/005/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS HostIP, username,
"CommandLine", "Image" AS ProcessImage,
"TargetFilename" AS ModifiedFile,
CASE
WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
ELSE 50
END AS RiskScore,
CASE
WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
ELSE 'Suspicious File Activity'
END AS AlertType
FROM events
WHERE eventid IN (1, 11)
AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
AND username NOT ILIKE '%SYSTEM%'
AND username NOT ILIKE '%TrustedInstaller%'
AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURSQRadar AQL detection for Executable Installer File Permissions Weakness. Detects potential installer hijacking by correlating installer processes executing from TEMP directories with file modification events on EXE/DLL files in those same directories. The key pattern is: a
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-stage installer processes that modify binaries during installation
- Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
- Self-updating applications modifying their own components
- Antivirus software modifying installer files during remediation
Other platforms for T1574.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Identify World-Writable Installer Directories in TEMP
Expected signal: Sysmon Event ID 1: powershell.exe with Get-Acl command accessing temp directory ACLs. No file modification events. PowerShell ScriptBlock Log Event ID 4104 with the full ACL enumeration script.
- Test 2Simulate Binary Replacement in Installer Temp Directory
Expected signal: Sysmon Event ID 11 (FileCreate): setup_component.exe created in TEMP. Sysmon Event ID 2 (FileCreateTime): file modification timestamp change. Security Event ID 4663 if object access auditing is enabled, showing the file write. icacls process creation events.
- Test 3Check Service Binary Permissions for Hijacking Opportunities
Expected signal: PowerShell process creation events. WMI query to Win32_Service (Sysmon Event ID 19 if WMI monitoring enabled). File ACL access events for each checked service binary path.
Unlock Pro Content
Get the full detection package for T1574.005 including response playbook, investigation guide, and atomic red team tests.