Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the
%TEMP%directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL Search Order Hijacking. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)
This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing malicious file. Example; check weak file permission and then replace. powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
Upon execution, open the weak permission file at %temp%\T1044_weak_permission_file.txt and verify that it's contents read "T1044 Malicious file". To verify the weak file permissions, open File Explorer to%temp%\T1044_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| weak_permission_file | check weak files permission | path | $env:TEMP\T1044_weak_permission_file.txt |
| malicious_file | File to replace weak permission file with | path | $env:TEMP\T1044\T1044_malicious_file.txt |
Get-WmiObject win32_service | select PathName
Copy-Item #{malicious_file} -Destination #{weak_permission_file} -ForceRemove-Item #{weak_permission_file} -Force -ErrorAction Ignore
Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignoreif (Test-Path #{weak_permission_file}) {exit 0} else {exit 1} New-Item #{weak_permission_file} -Force | Out-Null
Set-Content -Path #{weak_permission_file} -Value "T1044 Weak permission file"Description: A file to replace the original weak_permission_file. In an attack this would be the malicious file gaining extra privileges
if (Test-Path #{malicious_file}) {exit 0} else {exit 1} New-Item -Type Directory -Path $env:TEMP\T1044\ -Force | Out-Null
New-Item #{malicious_file} -Force | Out-Null
Set-Content -Path #{malicious_file} -Value "T1044 Malicious file"