IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Potential Evasion via Filter Manager Potential External Linux SSH Brute Force Detected »

› › ›

Potential Exploitation of an Unquoted Service Path Vulnerability

edit

Potential Exploitation of an Unquoted Service Path Vulnerability

edit

Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Rule Type: BBR
Data Source: Elastic Defend

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where event.type == "start" and
  (
    process.executable : "?:\\Program.exe" or
    process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
Sub-technique:
- Name: Path Interception by Unquoted Path
- ID: T1574.009
- Reference URL: https://attack.mitre.org/techniques/T1574/009/

« Potential Evasion via Filter Manager Potential External Linux SSH Brute Force Detected »