Detailedseverity: HighDraft

CAPEC-642Replace Binaries

Abstraction
Detailed
Status
Draft
Severity
High

Description

Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.

Related weaknesses· 1

CWE-732

MITRE ATT&CK crosswalk· 3

T1505.005: Server Software Component: Terminal Services DLLT1554: Compromise Client Software BinaryT1574.005: Hijack Execution Flow:Executable Installer File Permissions Weakness

Related attack patterns· 1

CAPEC-17 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessIncorrect Permission Assignment for Critical Resourcecwe-732100%live

Related to3

TypeTargetConfidenceTier
SubTechniqueExecutable Installer File Permissions Weaknesst1574.005100%live
TechniqueCompromise Client Software Binaryt1554100%live
SubTechniqueTerminal Services DLLt1505.005100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Replace Trusted Executable
Sub-technique
Executable Installer File Permissions Weakness
Sub-technique
Services File Permissions Weakness
CAPEC
Install Rootkit
CAPEC
File Manipulation
CAPEC
Code Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.