T1574.009 Splunk · SPL

Detect Path Interception by Unquoted Path in Splunk

Adversaries exploit unquoted service executable paths that contain spaces. When a service path like C:\Program Files\My Service\service.exe is not quoted, Windows parses it by trying C:\Program.exe, then C:\Program Files\My.exe, then C:\Program Files\My Service\service.exe. An adversary with write access to C:\ or C:\Program Files\ can plant Program.exe or Program Files\My.exe to intercept service startup. This technique achieves privilege escalation because services typically run as SYSTEM. PowerSploit (Get-ServiceUnquoted), Empire, and winPEAS all include unquoted path discovery. It is particularly prevalent in third-party software installations that fail to properly quote service paths.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.009 Path Interception by Unquoted Path
Canonical reference
https://attack.mitre.org/techniques/T1574/009/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
| where TargetObject like "%\\Services\\%\\ImagePath" OR TargetObject like "%\\Services\\%\\BinPath"
| where match(Details, " ") AND NOT match(Details, "^\"")
| where NOT match(Details, "(?i)C:\\\\Windows")
| eval UnquotedPath=Details
| eval PotentialIntercepts=mvjoin(mvmap(split(mvindex(split(Details, "\\"), 0, -2), "\\"), mvindex(split(Details, "\\"), 0, if(mvfind(split(Details, " "), ".") > 0, mvfind(split(Details, " "), ".") - 1, -1))), "\\")
| table _time, host, User, TargetObject, UnquotedPath, Image
| sort - _time

```
Also detect exploitation (binary planted at interception point):
```
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where match(lower(Image), "c:\\\\program\.(exe|com)$") OR match(lower(Image), "c:\\\\program files\\\\[^\\\\]+\.(exe|com)$")
| table _time, host, User, Image, CommandLine, ParentImage, IntegrityLevel
| sort - _time
high severity medium confidence

First query detects vulnerable service registrations (registry ImagePath values with spaces and no quotes). Second query detects active exploitation — a binary named 'Program.exe' at C:\ or a binary at C:\Program Files\<name>.exe, which are the interception points for unquoted paths starting with 'C:\Program Files'. The exploitation query has much higher fidelity than the vulnerability discovery query.

Data Sources

Windows Registry: Registry Key ModificationProcess: Process CreationSysmon Event ID 13Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Vulnerability discovery tools (winPEAS, PowerUp, SharpUp) scanning for unquoted paths — common in legitimate pen tests
  • Software installers that create (but immediately fix) unquoted paths
  • False positives for C:\Program.exe will be rare but the vulnerability-discovery query has many legitimate triggers
Download portable Sigma rule (.yml)

Other platforms for T1574.009

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Vulnerable Service with Unquoted Path

    Expected signal: Security Event ID 7045 (System log): Service Installed event for UnquotedTestService. Sysmon Event ID 13 (Registry): HKLM\SYSTEM\CurrentControlSet\Services\UnquotedTestService\ImagePath set to unquoted value. Process creation for sc.exe.

  2. Test 2Enumerate Unquoted Service Paths (PowerSploit-Style)

    Expected signal: PowerShell process creation with WMI query to Win32_Service. Sysmon Event ID 19 (WMI Activity) may log the WMI query. PowerShell ScriptBlock Log Event ID 4104 records the enumeration script.

  3. Test 3Plant Interception Binary at C:\Program.exe

    Expected signal: Sysmon Event ID 11 (FileCreate): C:\Program.exe created at root of C: drive. High-priority alert — any EXE at C:\ root is anomalous. If any service with unquoted 'C:\Program Files' path starts, this binary would execute as SYSTEM.

Last updated: 2026-03-11 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1574.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1543.003Windows ServiceT1548.002Bypass User Account ControlT1574.008Path Interception by Search Order Hijacking

Same Tactic: Persistence

Popular Detections