Detect Services File Permissions Weakness in IBM QRadar
Adversaries may replace service executable binaries by exploiting weak file or directory permissions on service binaries. Windows services run with specific account privileges (often SYSTEM, LocalService, or NetworkService). If the permissions on the service binary or its parent directory allow non-privileged users to write, an adversary can overwrite the binary with a malicious payload. When the service starts (on reboot or manually), the malicious binary executes at the service's privilege level. BlackEnergy malware used this technique to replace disabled driver service binaries and then re-enable the service for persistence. PowerSploit's Get-ModifiableServiceFile discovers exploitable service binaries.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.010 Services File Permissions Weakness
- Canonical reference
- https://attack.mitre.org/techniques/T1574/010/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS HostIP, username,
"CommandLine", "Image" AS ProcessImage,
"TargetFilename" AS ModifiedFile,
CASE
WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
ELSE 50
END AS RiskScore,
CASE
WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
ELSE 'Suspicious File Activity'
END AS AlertType
FROM events
WHERE eventid IN (1, 11)
AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
AND username NOT ILIKE '%SYSTEM%'
AND username NOT ILIKE '%TrustedInstaller%'
AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURSQRadar AQL detection for Services File Permissions Weakness. Detects modification of service binary files by non-SYSTEM, non-installer accounts. The query correlates file modification events on EXE/DLL files in service installation directories with the Services
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-stage installer processes that modify binaries during installation
- Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
- Self-updating applications modifying their own components
- Antivirus software modifying installer files during remediation
Other platforms for T1574.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Check Service Binary Permissions for Exploitation
Expected signal: PowerShell process creation with WMI Win32_Service query and file ACL enumeration. Sysmon Event ID 19 may log the WMI query. Multiple file read operations to check ACLs on service binaries.
- Test 2Simulate Service Binary Replacement (Hash-Verified)
Expected signal: Service creation event (Security Event ID 7045). File modification event (Sysmon EventCode 11) for test_svc.exe after replacement. Hash change detectable via Sysmon event which includes SHA256.
- Test 3Verify Service Permission Using AccessChk
Expected signal: Process creation for accesschk.exe or icacls.exe with Program Files as target. These tools inspect file ACLs without modifying them. Security audit logs may capture the file access depending on auditing configuration.
Unlock Pro Content
Get the full detection package for T1574.010 including response playbook, investigation guide, and atomic red team tests.