Potential Exploitation of an Unquoted Service Path Vulnerability
Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/13"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a
13higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
14from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
21risk_score = 21
22rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where host.os.type == "windows" and event.type == "start" and
30 (
31 process.executable : "?:\\Program.exe" or
32 process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
33 )
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1574"
42name = "Hijack Execution Flow"
43reference = "https://attack.mitre.org/techniques/T1574/"
44[[rule.threat.technique.subtechnique]]
45id = "T1574.009"
46name = "Path Interception by Unquoted Path"
47reference = "https://attack.mitre.org/techniques/T1574/009/"
48
49
50[rule.threat.tactic]
51id = "TA0004"
52name = "Privilege Escalation"
53reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Account Discovery Command via SYSTEM Account
- Bypass UAC via Event Viewer
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service