title: Services File Permissions Weakness (T1574.010)
id: df00tech-t1574-010
status: experimental
description: "Adversaries may replace service executable binaries by exploiting weak file or directory permissions on service binaries. Windows services run with specific account privileges (often SYSTEM, LocalService, or NetworkService). If the permissions on the service binary or its parent directory allow non-privileged users to write, an adversary can overwrite the binary with a malicious payload. When the service starts (on reboot or manually), the malicious binary executes at the service's privilege level. BlackEnergy malware used this technique to replace disabled driver service binaries and then re-enable the service for persistence. PowerSploit's Get-ModifiableServiceFile discovers exploitable service binaries."
references:
  - https://attack.mitre.org/techniques/T1574/010/
  - https://df00tech.com/detections/T1574.010
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software auto-updaters that replace service binaries during updates (often run with user-level permissions rather than SYSTEM)
  - "IT management tools (SCCM, Intune) that update service binaries as part of software deployment"
  - Antivirus self-update mechanisms that replace their own service binaries
  - Some developer workflows where the developer account has write access to Program Files for testing
level: high