title: Executable Installer File Permissions Weakness (T1574.005)
id: df00tech-t1574-005
status: experimental
description: "Adversaries may hijack binaries used by installer processes by exploiting weak file permissions. Installers frequently extract binaries (EXEs, DLLs) to subdirectories within %TEMP% during installation, often with world-writable permissions. An adversary can overwrite these binaries before the installer executes them, gaining code execution at the installer's privilege level (often SYSTEM or elevated due to UAC elevation). This technique also applies to existing installed software where the binary or its directory has incorrect permissions allowing non-admin users to overwrite it. Mustang Panda has leveraged legitimate installer executables (e.g., Setup Factory IRSetup.exe) to deploy payloads."
references:
  - https://attack.mitre.org/techniques/T1574/005/
  - https://df00tech.com/detections/T1574.005
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers that update extracted files as part of a multi-step installation process
  - Self-updating applications that modify their own installer components in TEMP before execution
  - "Enterprise software deployment systems (SCCM, Intune) that stage and modify installers in temp locations"
  - Antivirus software that modifies installer binaries as part of scanning or remediation
level: high