Adversaries may exploit unquoted service paths to execute malicious payloads by placing a malicious executable in a directory before a legitimate one, allowing the adversary to hijack the service execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential lateral movement and persistence tactics.
Detection Rule
title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
# Feel free to add more
TargetFilename: 'C:\program.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName =~ "C:\\program.exe"Scenario: Scheduled Task Running a Legitimate Executable
Description: A scheduled task is configured to run a legitimate executable (e.g., schtasks.exe) with an unquoted path, which could trigger the rule.
Filter/Exclusion: process.name == "schtasks.exe" or process.parent.name == "schtasks.exe"
Scenario: System Update or Patching Tool Execution
Description: A system update tool (e.g., wusa.exe or dism.exe) is executed with an unquoted path as part of a routine patching process.
Filter/Exclusion: process.name == "wusa.exe" or process.name == "dism.exe"
Scenario: Admin Task Using Unquoted Path for Script Execution
Description: An administrator runs a script (e.g., powershell.exe) with an unquoted path to execute a legitimate script file (e.g., C:\scripts\update.ps1).
Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains "update.ps1"
Scenario: Antivirus or Endpoint Protection Tool Execution
Description: An endpoint protection tool (e.g., mpcmdrun.exe from Microsoft Defender) is executed with an unquoted path during a scan.
Filter/Exclusion: process.name == "mpcmdrun.exe" or process.parent.name == "mpcmdrun.exe"
Scenario: Service Configuration with Unquoted Path
Description: A legitimate service (e.g., SQLServerAgent or IISADMIN) is configured with an unquoted path in its service configuration, leading to the rule being triggered.
Filter/Exclusion: service.name contains "SQLServerAgent" or service.name contains "IISADMIN"