Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Sigma rule (View on GitHub)
1title: Creation Exe for Service with Unquoted Path
2id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
3status: test
4description: |
5 Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
6 Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
9author: frack113
10date: 2021-12-30
11tags:
12 - attack.persistence
13 - attack.t1547.009
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 # Feel free to add more
20 TargetFilename: 'C:\program.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- New Custom Shim Database Created
- Suspicious desktop.ini Action
- Windows Network Access Suspicious desktop.ini Action
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group