Potential Exploitation of an Unquoted Service Path Vulnerability

 1[metadata]
 2creation_date = "2023/07/13"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a
11higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
12from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
19risk_score = 21
20rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Privilege Escalation",
27    "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and 
34  (
35    process.executable : "?:\\Program.exe" or 
36    process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
37  )
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1574"
45name = "Hijack Execution Flow"
46reference = "https://attack.mitre.org/techniques/T1574/"
47[[rule.threat.technique.subtechnique]]
48id = "T1574.009"
49name = "Path Interception by Unquoted Path"
50reference = "https://attack.mitre.org/techniques/T1574/009/"
51
52
53
54[rule.threat.tactic]
55id = "TA0004"
56name = "Privilege Escalation"
57reference = "https://attack.mitre.org/tactics/TA0004/"