Skip to content

DET0038 Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness

Item Value
ID DET0038
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.005 (Executable Installer File Permissions Weakness)

Analytics

Windows

AN0108

Executables written or modified in installer directories (e.g., %TEMP% subdirectories or Program Files installer paths) followed by execution under elevated context. Defender observes abnormal file replacement activity, process creation by installer processes pointing to attacker-supplied binaries, and unexpected module loads in elevated processes.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
MonitoredDirectories Specific writable directories to monitor (e.g., %TEMP%, C:\ProgramData, installer unpack paths).
HashBaseline Known good hashes of installer binaries to detect replacement.
TimeWindow Correlation interval between file overwrite and execution event.
UserContext Differentiate expected admin-installer execution vs. anomalous user writes.