Modification or replacement of service executables due to weak file or directory permissions. Defender observes file writes to service binary paths, unexpected modifications of executables associated with registered services, and subsequent service execution of attacker-supplied binaries under elevated permissions.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7045 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| MonitoredServices | List of critical services and their expected executable paths for integrity checking. |
| HashBaseline | Baseline hashes of legitimate service executables for tamper detection. |
| TimeWindow | Correlation interval between file modification of service executables and service execution. |
| PrivilegedAccounts | Accounts allowed to legitimately modify service executables. |