Potential Exploitation of Unquoted Service Path Vulnerability
This rule detects potential exploitation of unquoted service paths on Windows systems, which can lead to privilege escalation by identifying suspicious processes starting from common unquoted paths, indicating a potential attempt to execute malicious code.
This detection rule identifies attempts to exploit unquoted service paths on Windows systems. When a service path lacks quotes, Windows may execute a malicious executable placed in a higher-level directory within the path of an unquoted service executable. This occurs because Windows will search for and execute executables along the path, potentially launching a malicious program before reaching the intended service executable. The rule focuses on detecting process executions from vulnerable paths, such as C:\Program.exe, C:\Program Files (x86)\, or C:\Program Files\. Successful exploitation allows an attacker to escalate privileges and execute arbitrary code with elevated permissions. This is a common privilege escalation technique, frequently used after gaining initial access to a system. The rule is based on the Elastic detection rule "Potential Exploitation of an Unquoted Service Path Vulnerability" (rule_id: 12de29d4-bbb0-4eef-b687-857e8a163870).
Attack Chain
- The attacker gains initial access to the system through various means (e.g., phishing, exploiting a different vulnerability).
- The attacker identifies a service with an unquoted path, such as
C:\Program Files\Example Service\service.exe. - The attacker places a malicious executable named
Program.exeinC:\. - The system attempts to start the service, resolving the unquoted path.
- Due to the missing quotes, Windows incorrectly parses the path and executes
C:\Program.exeinstead of the intended service. - The malicious
Program.exeexecutes with the privileges of the service account, potentially SYSTEM. - The attacker gains elevated privileges and can perform actions such as installing software, modifying data, or creating new accounts.
- The attacker establishes persistence or moves laterally within the network.
Impact
A successful unquoted service path exploitation allows an attacker to escalate privileges to the level of the service account, often SYSTEM. This can lead to complete system compromise, allowing the attacker to install malware, steal sensitive data, or create new administrative accounts. The impact is significant, potentially affecting all systems with vulnerable services. This attack targets Windows systems, and the number of affected systems depends on the prevalence of services with unquoted paths within the targeted environment.
Recommendation
- Deploy the Sigma rule "Unquoted Service Path Exploitation" to your SIEM to detect suspicious processes (process.executable) starting from common unquoted paths.
- Review service configurations on Windows systems to identify and correct any unquoted service paths (T1574.009).
- Implement enhanced monitoring and logging for suspicious process activities on the network to detect future attempts promptly (T1574).
- Use the MITRE ATT&CK references provided to understand the attacker's tactics (TA0004) and techniques in greater detail.
Detection coverage 2
Unquoted Service Path Exploitation
mediumDetects potential exploitation of unquoted service paths by identifying processes executing from vulnerable directories.
Unquoted Service Path Exploitation - Program.exe
mediumDetects potential exploitation of unquoted service paths where a program.exe is being executed from the root
Detection queries are available on the platform. Get full rules →