Skip to content

DET0436 Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.

Item Value
ID DET0436
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.010 (Services File Permissions Weakness)

Analytics

Windows

AN1211

Modification or replacement of service executables due to weak file or directory permissions. Defender observes file writes to service binary paths, unexpected modifications of executables associated with registered services, and subsequent service execution of attacker-supplied binaries under elevated permissions.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Service Creation (DC0060) WinEventLog:System EventCode=7045
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
MonitoredServices List of critical services and their expected executable paths for integrity checking.
HashBaseline Baseline hashes of legitimate service executables for tamper detection.
TimeWindow Correlation interval between file modification of service executables and service execution.
PrivilegedAccounts Accounts allowed to legitimately modify service executables.