Detect Path Interception by Unquoted Path in Sumo Logic CSE
Adversaries exploit unquoted service executable paths that contain spaces. When a service path like C:\Program Files\My Service\service.exe is not quoted, Windows parses it by trying C:\Program.exe, then C:\Program Files\My.exe, then C:\Program Files\My Service\service.exe. An adversary with write access to C:\ or C:\Program Files\ can plant Program.exe or Program Files\My.exe to intercept service startup. This technique achieves privilege escalation because services typically run as SYSTEM. PowerSploit (Get-ServiceUnquoted), Empire, and winPEAS all include unquoted path discovery. It is particularly prevalent in third-party software installations that fail to properly quote service paths.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.009 Path Interception by Unquoted Path
- Canonical reference
- https://attack.mitre.org/techniques/T1574/009/
Sumo Detection Query
_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount descSumo Logic detection for Path Interception by Unquoted Path. Detects service registry entries with unquoted paths containing spaces — the pre-condition for unquoted path interception attacks. Monitors the Services registry hive for ImagePath/BinPath values that
Data Sources
Required Tables
False Positives & Tuning
- Multi-stage installers that legitimately modify components in TEMP during installation
- Enterprise deployment solutions staging installer binaries in temporary locations
- Self-updating applications that patch their own binaries before running them
- Software that extracts and immediately executes components from archives
Other platforms for T1574.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Vulnerable Service with Unquoted Path
Expected signal: Security Event ID 7045 (System log): Service Installed event for UnquotedTestService. Sysmon Event ID 13 (Registry): HKLM\SYSTEM\CurrentControlSet\Services\UnquotedTestService\ImagePath set to unquoted value. Process creation for sc.exe.
- Test 2Enumerate Unquoted Service Paths (PowerSploit-Style)
Expected signal: PowerShell process creation with WMI query to Win32_Service. Sysmon Event ID 19 (WMI Activity) may log the WMI query. PowerShell ScriptBlock Log Event ID 4104 records the enumeration script.
- Test 3Plant Interception Binary at C:\Program.exe
Expected signal: Sysmon Event ID 11 (FileCreate): C:\Program.exe created at root of C: drive. High-priority alert — any EXE at C:\ root is anomalous. If any service with unquoted 'C:\Program Files' path starts, this binary would execute as SYSTEM.
References (5)
- https://attack.mitre.org/techniques/T1574/009/
- https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
- https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md
Unlock Pro Content
Get the full detection package for T1574.009 including response playbook, investigation guide, and atomic red team tests.