Dark Mode

Settings

Capec-558 Detail

Replace Trusted Executable

Detailed Software Likelihood: Low Typical Severity: High

Parents: 542

Threats: T79 T284 T287 T337 T389 T391 T403 T406

Description

An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.

Not present

External ID Source Link Description
CAPEC-558 capec https://capec.mitre.org/data/definitions/558.html
CWE-284 cwe http://cwe.mitre.org/data/definitions/284.html
T1505.005 ATTACK https://attack.mitre.org/wiki/Technique/T1505/005 Server Software Component: Terminal Services DLL
T1546.008 ATTACK https://attack.mitre.org/wiki/Technique/T1546/008 Event Triggered Execution: Accessibility Features

Not present

Not present

Not present

Not present

Not present

  1. Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. "C:\Windows\System32\utilman.exe") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges.

We use cookies to ensure you get the best experience on our website.