T1574.005: Executable Installer File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL search order hijacking.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors.[1] [2] If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
Analyst context for executives and security teams
This Windows technique matters because weak permissions around installer files or temporary extraction folders can turn a normal software installation process into a higher-privilege code execution path. For leaders, the practical issue is not just malware execution; it is whether endpoint build standards, software packaging, temporary directory controls, and privilege practices prevent user-writable installer content from being executed by elevated processes.
Executive priority
Prioritize this where Windows endpoints or servers routinely run installers with elevated privileges, especially in managed software deployment, help desk workflows, or environments with many local administrator rights. The business decision value is validating that software installation paths do not create preventable privilege escalation, persistence, or audit gaps. This also supports compliance evidence for least privilege, account control, and configuration auditing.
Technical view
ATT&CK lists this as a Windows sub-technique of Hijack Execution Flow under stealth and execution. SOC, IR, and detection engineering teams should validate whether they can observe installer processes writing or executing binaries from user-writable locations such as temporary extraction directories, and whether replaced binaries are launched by a higher-privilege parent process. Because MITRE provides no official detection text for this object, use the related DET0038 detection strategy as direction, but confirm coverage locally against installer behavior, file permissions, process ancestry, integrity level, and account context. Also account for the ATT&CK-noted relationship to DLL search order hijacking and UAC bypass concepts without assuming either is always present.
Likely telemetry
- Windows process creation events with parent/child process relationships
- File creation, overwrite, and rename activity in installer directories and %TEMP% subdirectories
- File and directory permission metadata for installer-created paths and target binaries
- User, privilege, integrity level, and elevation context for installer and child processes
- Software installation, endpoint management, and administrative activity logs
Detection direction
- Baseline legitimate installer behavior before alerting broadly, because many installers unpack and execute files from temporary directories by design.
- Look for elevated installer processes executing binaries that were recently created or modified by a lower-privileged user context.
- Review user-writable directories or binaries that are later executed by privileged installer, service, startup, or scheduled-event contexts.
- Tune for suspicious permission patterns: installer-created folders or payloads that allow broad write access before execution.
- Correlate with the parent Hijack Execution Flow technique and related DLL search order hijacking context when DLLs or search-path behavior are involved.
Mitigation priorities
- Enforce least privilege through user account management so routine users cannot modify sensitive installer paths or run unnecessary elevated installation workflows.
- Keep User Account Control enabled and properly configured to reduce unauthorized or unexpected elevation paths.
- Audit Windows file permissions, installer packaging practices, and temporary extraction behavior for user-writable locations that feed elevated execution.
- Review software deployment and endpoint management processes to ensure installers do not rely on insecure temporary directories or writable binaries.
- Use audit findings as compliance evidence for privilege management, configuration governance, and endpoint hardening.
Analyst notes and limits
The supplied ATT&CK object includes public examples of installer weakness reporting and a relationship to Mustang Panda use, but this summary does not infer current exploitation or customer exposure. The most useful local validation is whether elevated installer workflows intersect with user-writable binaries or directories in the organization’s Windows estate.
MITRE does not provide official detection text for this technique in the supplied fields. The relationship to DET0038 indicates a detection strategy exists, but no detailed strategy content was supplied here. Effective assessment requires local telemetry, endpoint configuration, installer inventory, and permission review.
Executable Installer File Permissions Weakness
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of DLL search order hijacking.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to Bypass User Account Control. Several examples of this weakness in existing common installers have been reported to software vendors.[1] [2] If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1574 | Hijack Execution Flow | This object subtechnique of Hijack Execution Flow. |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 7cfb08d69cee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mozilla_sec_adv_2012
Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.
Open source URL -
[2]
Executable Installers are Vulnerable
Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.
Open source URL -
[3]
mitre-attack T1574.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.