T1574.009 Path Interception by Unquoted Path Mappings

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1574.009 Path Interception by Unquoted Path
AC-3 Access Enforcement Protects T1574.009 Path Interception by Unquoted Path
AC-4 Information Flow Enforcement Protects T1574.009 Path Interception by Unquoted Path
AC-5 Separation of Duties Protects T1574.009 Path Interception by Unquoted Path
AC-6 Least Privilege Protects T1574.009 Path Interception by Unquoted Path
CA-7 Continuous Monitoring Protects T1574.009 Path Interception by Unquoted Path
CA-8 Penetration Testing Protects T1574.009 Path Interception by Unquoted Path
CM-2 Baseline Configuration Protects T1574.009 Path Interception by Unquoted Path
CM-6 Configuration Settings Protects T1574.009 Path Interception by Unquoted Path
CM-7 Least Functionality Protects T1574.009 Path Interception by Unquoted Path
CM-8 System Component Inventory Protects T1574.009 Path Interception by Unquoted Path
RA-5 Vulnerability Monitoring and Scanning Protects T1574.009 Path Interception by Unquoted Path
SI-10 Information Input Validation Protects T1574.009 Path Interception by Unquoted Path
SI-3 Malicious Code Protection Protects T1574.009 Path Interception by Unquoted Path
SI-4 System Monitoring Protects T1574.009 Path Interception by Unquoted Path
SI-7 Software, Firmware, and Information Integrity Protects T1574.009 Path Interception by Unquoted Path