CAPEC-558: Replace Trusted Executable
An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.
Last updated
Overview
CAPEC-558 (Replace Trusted Executable) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
Examples
Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. "C:\Windows\System32\utilman.exe") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges.
Terminology & mappings
Mapped taxonomies
- : Server Software Component: Terminal Services DLL (1505.005)