Detectionhightest

Creation Exe for Service with Unquoted Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Thu Dec 308c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        # Feel free to add more
        TargetFilename: 'C:\program.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1547.009 · Shortcut Modification

Rule Metadata

Rule ID

8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9

Status

test

Level

high

Type

Detection

Created

Thu Dec 30

Author

François Hubaut

Path

rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1547.009

View on GitHub