title: Path Interception by Unquoted Path (T1574.009)
id: df00tech-t1574-009
status: experimental
description: "Adversaries exploit unquoted service executable paths that contain spaces. When a service path like C:\\Program Files\\My Service\\service.exe is not quoted, Windows parses it by trying C:\\Program.exe, then C:\\Program Files\\My.exe, then C:\\Program Files\\My Service\\service.exe. An adversary with write access to C:\\ or C:\\Program Files\\ can plant Program.exe or Program Files\\My.exe to intercept service startup. This technique achieves privilege escalation because services typically run as SYSTEM. PowerSploit (Get-ServiceUnquoted), Empire, and winPEAS all include unquoted path discovery. It is particularly prevalent in third-party software installations that fail to properly quote service paths."
references:
  - https://attack.mitre.org/techniques/T1574/009/
  - https://df00tech.com/detections/T1574.009
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Many third-party software installations legitimately create services with unquoted paths containing spaces — this is a widespread misconfiguration rather than always malicious
  - Some legacy applications installed before secure coding practices were common have unquoted paths
  - Enterprise software that has not been updated to fix this misconfiguration
  - "Software deployers that don't validate path quoting during installation"
level: medium