https://feed.craftedsignal.io/tags/unquoted-service-path/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 04 Apr 2026 14:16:18 +0000https://feed.craftedsignal.io/briefs/2026-04-sheed-antivirus-privesc/Sat, 04 Apr 2026 14:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-sheed-antivirus-privesc/Sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by placing a malicious executable in the unquoted path, leading to arbitrary code execution as LocalSystem.Sheed AntiVirus 2.3 is vulnerable to an unquoted service path vulnerability (CVE-2016-20061) affecting the ShavProt service. This vulnerability, disclosed in April 2026, allows a local attacker with limited privileges to escalate their privileges to SYSTEM. The attack involves placing a malicious executable in a directory within the unquoted service path. When the ShavProt service starts (either through a service restart or system reboot), it attempts to execute binaries along the unquoted path. If the attacker-controlled malicious executable is encountered first, it will be executed with LocalSystem privileges. This poses a significant risk as it allows attackers to gain complete control over the affected system.

Attack Chain

1. The attacker identifies the unquoted service path for the ShavProt service in Sheed AntiVirus 2.3. This path is typically found in the Windows Registry under HKLM\SYSTEM\CurrentControlSet\Services\ShavProt\ImagePath.
2. The attacker crafts a malicious executable (e.g., evil.exe) designed to perform actions with elevated privileges (e.g., creating a new administrator account or disabling security features).
3. The attacker places the malicious executable (evil.exe) in a directory along the unquoted service path, ensuring it is named to match a directory name within the path. For example, if the path is C:\Program Files\Sheed AntiVirus\ShavProt.exe, they might create a directory named “Program” and place evil.exe in C:\evil.exe. This will make the system attempt to execute C:\evil.exe Files\Sheed AntiVirus\ShavProt.exe.
4. The attacker triggers a restart of the ShavProt service. This can be achieved using the net stop and net start commands, or through the Services management console (services.msc).
5. Alternatively, the attacker can induce a system reboot to trigger the service to start automatically.
6. As the service starts, Windows attempts to execute the ShavProt service binary, but due to the unquoted path, it first executes the attacker’s malicious executable (evil.exe) with LocalSystem privileges.
7. The malicious executable performs its intended actions, such as creating a new administrator account, modifying system files, or installing backdoors.
8. The attacker now has persistent access to the system with LocalSystem privileges.

Impact

Successful exploitation of this vulnerability allows a local attacker to gain complete control over the affected system. This can lead to sensitive data theft, installation of malware, disruption of services, and potential compromise of the entire network if the attacker pivots to other systems. The vulnerability affects all installations of Sheed AntiVirus 2.3, potentially impacting a wide range of users if the antivirus is still deployed.

Recommendation

• Apply any available patches or upgrades for Sheed AntiVirus. If no patch is available, consider uninstalling the software.
• Monitor process creation events for execution of binaries from unusual paths that coincide with unquoted service paths as a generic preventative measure using the “Detect Suspicious Process Creation in Unquoted Path” Sigma rule.
• Monitor service creation events (if possible via endpoint detection) for services with unquoted paths.
• Block the download URL http://dl.sheedantivirus.ir/setup.exe at the network perimeter.

]]>highadvisoryprivilege-escalationunquoted-service-pathcve-2016-20061https://feed.craftedsignal.io/briefs/2024-01-29-unquoted-service-path/Mon, 29 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-29-unquoted-service-path/This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.Unquoted service paths in Windows can be exploited to escalate privileges. When a service path lacks quotes, Windows may execute a malicious executable placed in a higher-level directory. This detection rule identifies suspicious processes starting from common unquoted paths, like “C:\Program.exe” or executables within “C:\Program Files (x86)\” or “C:\Program Files\”, signaling potential exploitation attempts. The rule aims to detect early stages of privilege escalation threats. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, Windows Security Event Logs, and Crowdstrike.

Attack Chain

1. An attacker identifies a service running with an unquoted path, such as “C:\Program Files\Unquoted Path Service\Common\Service.exe”.
2. The attacker places a malicious executable named “Program.exe” in “C:"
3. The operating system attempts to start the service “C:\Program Files\Unquoted Path Service\Common\Service.exe”.
4. Due to the unquoted path, the OS incorrectly parses the path and first attempts to execute “C:\Program.exe”.
5. The malicious “Program.exe” executes with the privileges of the service account.
6. The malicious executable performs actions to escalate privileges, such as adding a user to the local administrators group.
7. The attacker gains elevated access to the system.

Impact

Successful exploitation of an unquoted service path vulnerability can lead to complete system compromise, as the attacker gains the privileges of the service account. This can allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. The impact is high, potentially leading to a loss of confidentiality, integrity, and availability of the affected system.

Recommendation

• Review process executable paths to confirm if they match the patterns specified in the rule query, such as “?:\Program.exe” or executables within “C:\Program Files (x86)\” or “C:\Program Files\”.
• Deploy the Sigma rule “Potential Exploitation of an Unquoted Service Path Vulnerability” to your SIEM and tune for your environment.
• Enable Sysmon process-creation logging with Event ID 1 to activate the Sigma rules above.
• Conduct a thorough review of service configurations to identify and correct any unquoted service paths as part of remediation steps.

]]>lowadvisoryprivilege-escalationunquoted-service-pathwindows