Potential Exploitation of an Unquoted Service Path Vulnerability

 1[metadata]
 2creation_date = "2023/07/13"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a
13higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
14from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
21risk_score = 21
22rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where host.os.type == "windows" and event.type == "start" and 
30  (
31    process.executable : "?:\\Program.exe" or 
32    process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
33  )
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1574"
42name = "Hijack Execution Flow"
43reference = "https://attack.mitre.org/techniques/T1574/"
44[[rule.threat.technique.subtechnique]]
45id = "T1574.009"
46name = "Path Interception by Unquoted Path"
47reference = "https://attack.mitre.org/techniques/T1574/009/"
48
49
50[rule.threat.tactic]
51id = "TA0004"
52name = "Privilege Escalation"
53reference = "https://attack.mitre.org/tactics/TA0004/"