Potential Exploitation of an Unquoted Service Path Vulnerability

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne Data Source: Elastic Endgame Data Source: Sysmon Data Source: System  ·
Share on: linkedin copy

Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/07/13"
 3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a
13higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
14from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
21risk_score = 21
22rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
23severity = "low"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Privilege Escalation",
29    "Data Source: Elastic Defend",
30    "Data Source: Microsoft Defender for Endpoint",
31    "Data Source: SentinelOne",
32    "Data Source: Elastic Endgame",
33    "Data Source: Sysmon",
34    "Data Source: System",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.type == "start" and 
41  (
42    process.executable : "?:\\Program.exe" or 
43    process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
44  )
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1574"
52name = "Hijack Execution Flow"
53reference = "https://attack.mitre.org/techniques/T1574/"
54[[rule.threat.technique.subtechnique]]
55id = "T1574.009"
56name = "Path Interception by Unquoted Path"
57reference = "https://attack.mitre.org/techniques/T1574/009/"
58
59
60
61[rule.threat.tactic]
62id = "TA0004"
63name = "Privilege Escalation"
64reference = "https://attack.mitre.org/tactics/TA0004/"

Related rules

to-top