Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1211: Analytic 1211

Modification or replacement of service executables due to weak file or directory permissions. Defender observes file writes to service binary paths, unexpected modifications of executables associated with registered services, and subsequent service execution of attacker-supplied binaries under elevated permissions.

EnterpriseAN1211AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting a Windows service binary being modified or replaced where weak file or directory permissions allow it. The business significance is privilege and persistence risk: if an attacker can swap the executable used by a registered service, the next service start may run attacker-controlled code with the service’s elevated permissions. Leaders should treat this as both a detection and hardening issue, not only a malware issue.

Executive priority

Prioritize validation for business-critical Windows servers and endpoints where services run with elevated privileges. This behavior can turn a local permission weakness into higher-privilege execution, so it is relevant to operational resilience, incident response scoping, vulnerability and configuration management, and audit evidence around least privilege and change control. Ask whether teams can prove which service binaries are writable, which were changed, and whether service execution followed an unauthorized change.

Technical view

For SOC, detection engineering, and IR teams, the core validation is correlation: file writes or replacements at paths used by registered Windows services, unexpected modification of service-associated executables, and subsequent execution by the service mechanism under elevated permissions. Because no official detection logic is provided, teams should derive local analytics from Windows service inventory, service binary path metadata, file modification events, process execution events, and permission baselines. Tune against approved software updates, patching, installer activity, and administrative maintenance windows.

Likely telemetry

  • Windows file creation/modification events for service executable paths
  • Windows service inventory and registered service binary path metadata
  • Process execution telemetry showing service-launched binaries
  • File and directory permission or ACL baselines for service paths
  • Change-management, software deployment, and patching records for false-positive review

Detection direction

  • Build a baseline of registered Windows services and their expected executable paths, owners, hashes, and permissions.
  • Alert on writes, replacements, or unexpected hash changes to executables associated with registered services, especially where the path is writable by non-administrative or overly broad principals.
  • Correlate service binary modification with later service start or process execution from the modified path.
  • Suppress or annotate expected activity from approved installers, patch tools, and maintenance windows rather than broadly excluding service directories.
  • Review blind spots where endpoint telemetry does not capture file writes, where service inventory is stale, or where permission data is not collected.

Mitigation priorities

  • Inventory Windows services and identify service executable paths with weak file or directory permissions.
  • Harden ACLs so only authorized administrators and trusted deployment mechanisms can modify service binaries and parent directories.
  • Use change control and integrity monitoring for service executables on critical systems.
  • Ensure incident response playbooks include service binary replacement checks when investigating suspicious elevated execution.
  • Retain enough endpoint and file telemetry to reconstruct modification timing, responsible account or process, and subsequent service execution.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows. It describes the behavior and observable pattern but does not provide formal detection logic, tactics, mitigations, data sources, or relationship context. The strongest defensive value comes from combining service inventory, file integrity/change telemetry, process execution telemetry, and permission review.

No official detection content or relationships were supplied, and tactics are not specified. This take should not be read as evidence of active exploitation, attribution, or guaranteed detection coverage. Local service configurations, telemetry quality, and administrative software deployment practices determine practical fidelity.

Official MITRE ATT&CK definition

Analytic 1211

Modification or replacement of service executables due to weak file or directory permissions. Defender observes file writes to service binary paths, unexpected modifications of executables associated with registered services, and subsequent service execution of attacker-supplied binaries under elevated permissions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
96dd5b549508183f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 96dd5b549508…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1211
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use