Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0436: Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.

DET0436 is a detection strategy object for identifying service execution-flow hijacking caused by weak file permissions, as related to ATT&CK technique T15...

EnterpriseDET0436Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0436 is a detection strategy object for identifying service execution-flow hijacking caused by weak file permissions, as related to ATT&CK technique T1574.010. In business terms, this matters because a mispermissioned Windows service binary or service directory can turn a routine service restart into unauthorized code execution. The decision value is not that this object provides detailed analytics—it does not—but that leaders should confirm whether Windows service permission hygiene, service change monitoring, and incident response evidence are strong enough to prove or disprove this path quickly.

Executive priority

Prioritize this as a Windows hardening and monitoring validation item tied to operational resilience and audit evidence. Security leaders should ask: which critical Windows services can be modified by non-administrative users or overly broad groups, do we monitor service binary and directory changes, and can the SOC correlate a suspicious file replacement with subsequent service start activity? Because the supplied DET0436 object has no official detection text, coverage should not be assumed from ATT&CK mapping alone.

Technical view

The relationship context maps this detection strategy to T1574.010, Services File Permissions Weakness, under stealth and execution for Windows. SOC and detection engineering teams should validate controls around Windows service configuration, file and directory ACLs for service binaries, file modification events in service paths, and service start or restart activity after suspicious changes. IR teams should be prepared to review whether the executable launched by a service matches the expected trusted binary and whether permissions allowed replacement or tampering.

Likely telemetry

  • Windows service configuration and service control events
  • File creation, modification, replacement, and deletion events for service binaries and service directories
  • File and directory access control list or permission-change evidence
  • Process execution telemetry showing service-spawned binaries
  • Endpoint detection or host audit logs that can link file tampering to later service execution

Detection direction

  • Validate whether monitoring covers both sides of the behavior: weak or changed permissions and subsequent service execution.
  • Baseline expected service binary paths, hashes where appropriate, owners, and ACLs; alert on drift in sensitive service locations.
  • Tune for legitimate software updates and administrative maintenance, which can also modify service binaries or restart services.
  • Correlate file changes in service paths with service start/restart events and process execution from the affected service context.
  • Review blind spots where endpoint agents do not collect ACL changes, file writes in service directories, or service control activity.

Mitigation priorities

  • Inventory Windows services and identify writable service binaries or directories, especially where non-administrative principals have modification rights.
  • Correct overly permissive file system ACLs on service binaries and containing directories using least-privilege principles.
  • Restrict who can modify service configurations and service executable paths.
  • Maintain change-control evidence for service binary updates so SOC teams can distinguish authorized maintenance from suspicious tampering.
  • Ensure incident response playbooks include service permission review, binary integrity review, and timeline correlation around service restarts.
Analyst notes and limits

This take is based on a sparse ATT&CK detection strategy object. The strongest usable context comes from the relationship to T1574.010, which describes adversaries replacing binaries used by Windows services when file or directory permissions are improperly set. Treat DET0436 as a prompt to validate local telemetry and control coverage, not as a complete ready-to-deploy detection.

The supplied detection strategy has no official description, no official detection text, no listed platforms, and no tactics. The Windows, stealth, and execution context comes from the related T1574.010 technique. No claims are made about active exploitation, attribution, prevalence, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1574.010 Services File Permissions Weakness Sub-technique This object detects Services File Permissions Weakness.
Relationship explorer

All related ATT&CK context

detects · Technique T1574.010: Services File Permissions Weakness Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
37529526ea6b340e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 37529526ea6b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0436
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use