Home > CAPEC List > CAPEC-558: Replace Trusted Executable (Version 2.9)  

CAPEC-558: Replace Trusted Executable

 
Replace Trusted Executable
Definition in a New Window Definition in a New Window
Attack Pattern ID: 558
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker replaces replaces a trusted executable to allow for the execution of malware when that trusted executable is called.

+ Examples-Instances

Description

Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. "C:\Windows\System32\utilman.exe") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2015-11-09Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015