Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Sigma rule (View on GitHub)
1title: Creation Exe for Service with Unquoted Path
2id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
3status: test
4description: |
5 Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
6 Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
9author: frack113
10date: 2021-12-30
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1547.009
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 # Feel free to add more
21 TargetFilename: 'C:\program.exe'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- New Custom Shim Database Created
- Suspicious desktop.ini Action
- Windows Network Access Suspicious desktop.ini Action
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group