T1574.010 Services File Permissions Weakness Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileCreated")
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any ("\\Program Files\\", "\\Program Files (x86)\\", "\\Windows\\")
| where not(InitiatingProcessFileName in~ ("msiexec.exe", "wusa.exe", "trustedinstaller.exe", "svchost.exe"))
| where InitiatingProcessAccountName != "SYSTEM"
| where InitiatingProcessAccountName != "NT AUTHORITY"
| where InitiatingProcessAccountName != ""
| join kind=leftouter (
    DeviceRegistryEvents
    | where Timestamp > ago(24h)
    | where RegistryKey has "Services"
    | where RegistryValueName =~ "ImagePath"
    | extend ServiceName = extract(@"Services\\([^\\]+)\\ImagePath", 1, RegistryKey)
    | project DeviceId, ServiceName, ImagePath=RegistryValueData
) on DeviceId
| where ImagePath has FileName
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, FileName, FolderPath, ServiceName, SHA256
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Modification Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents

False Positives

Software auto-updaters that replace service binaries during updates (often run with user-level permissions rather than SYSTEM)
IT management tools (SCCM, Intune) that update service binaries as part of software deployment
Antivirus self-update mechanisms that replace their own service binaries
Some developer workflows where the developer account has write access to Program Files for testing

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| where match(TargetFilename, "(\.exe|\.dll)$")
| where match(lower(TargetFilename), "(program files|windows)")
| where User!="NT AUTHORITY\\SYSTEM" AND User!="" AND NOT match(User, "SYSTEM|TrustedInstaller")
| where NOT match(lower(Image), "(msiexec|wusa|trustedinstaller|windowsupdate|svchost)")
| eval Severity="HIGH"
| table _time, host, User, TargetFilename, Image, ProcessGuid, Severity
| sort - _time

high severity medium confidence

Data Sources

File: File Modification Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software update processes that run in user context (common for some applications)
IT deployment tools pushing updates to service binaries
Developer accounts with explicit write permissions to Program Files
Game launchers and similar applications that self-update service components

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [file where event.type == "change" and file.name : ("*.exe", "*.dll")
   and file.path : "*\\System32\\*" or file.path : "*\\Program Files\\*"
   and not user.name : ("SYSTEM", "TrustedInstaller", "Administrators")]
  [process where event.type == "start" and process.name : "services.exe"]

high severity medium confidence

Data Sources

Elastic Endpoint Security File events Process events

Required Tables

logs-endpoint.events.file.* logs-endpoint.events.process.*

False Positives

Legitimate software installers that update components in TEMP during multi-step installation
Enterprise deployment tools (SCCM, Intune) staging and modifying binaries in temp locations
Self-updating applications that modify their own components before execution
Antivirus software modifying installer binaries during scanning or remediation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 1 Sysmon Event ID 11

Required Tables

events

False Positives

Legitimate multi-stage installer processes that modify binaries during installation
Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
Self-updating applications modifying their own components
Antivirus software modifying installer files during remediation

Sumo Logic CSE

sql

_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount desc

high severity medium confidence

Data Sources

Sysmon Event ID 1 Sysmon Event ID 11

Required Tables

_sourceCategory=*sysmon*

False Positives

Multi-stage installers that legitimately modify components in TEMP during installation
Enterprise deployment solutions staging installer binaries in temporary locations
Self-updating applications that patch their own binaries before running them
Software that extracts and immediately executes components from archives

Google Chronicle / SecOps

yaral

rule T1574_010_hijack_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution flow hijacking via installer or DLL path manipulation"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1574.010"
    reference = "https://attack.mitre.org/techniques/T1574/010/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
      re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
    not $e.principal.user.user_display_name = "SYSTEM"

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate multi-stage installer processes that modify binaries during installation phases
Enterprise software deployment tools staging installer components in temp directories
Self-updating applications that download and replace their own binaries
Archive utilities that extract executables to temp before running them

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)\\temp\\.*\.exe/
| ParentBaseFileName != /(?i)(msiexec|trustedinstaller|wusa|dpinst|svchost)/
| UserName != "SYSTEM"
| UserName != ""
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, UserName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)\\temp\\/i AND ParentBaseFileName = /(?i)(setup|install|update)/ => RiskScore := "High";
    ImageFileName = /(?i)\\temp\\/i => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate enterprise installers that update extracted binaries during installation
Software deployment tools (SCCM, Intune) staging and modifying installers in temp
Self-patching applications that download and replace their own components
Automated software update mechanisms that modify binaries before execution

Services File Permissions Weakness

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections