sigmaDRL-1.1from SigmaHQ/sigma
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml
title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
# Feel free to add more
TargetFilename: 'C:\program.exe'
condition: selection
falsepositives:
- Unknown
level: high