sigmahighHunting

Creation Exe for Service with Unquoted Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

MITRE ATT&CK

T1547.009

privilege-escalationpersistence

Detection Query

selection:
  TargetFilename: C:\program.exe
condition: selection

Author

frack113

Created

2021-12-30

Data Sources

windowsFile Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md

Tags

attack.privilege-escalationattack.persistenceattack.t1547.009

Raw Content

title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        # Feel free to add more
        TargetFilename: 'C:\program.exe'
    condition: selection
falsepositives:
    - Unknown
level: high