T1574.009 Path Interception by Unquoted Path Mappings

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1574.009 Path Interception by Unquoted Path
AC-3 Access Enforcement Protects T1574.009 Path Interception by Unquoted Path
AC-4 Information Flow Enforcement Protects T1574.009 Path Interception by Unquoted Path
AC-5 Separation of Duties Protects T1574.009 Path Interception by Unquoted Path
AC-6 Least Privilege Protects T1574.009 Path Interception by Unquoted Path
CA-7 Continuous Monitoring Protects T1574.009 Path Interception by Unquoted Path
CA-8 Penetration Testing Protects T1574.009 Path Interception by Unquoted Path
CM-2 Baseline Configuration Protects T1574.009 Path Interception by Unquoted Path
CM-6 Configuration Settings Protects T1574.009 Path Interception by Unquoted Path
CM-7 Least Functionality Protects T1574.009 Path Interception by Unquoted Path
CM-8 System Component Inventory Protects T1574.009 Path Interception by Unquoted Path
RA-5 Vulnerability Monitoring and Scanning Protects T1574.009 Path Interception by Unquoted Path
SI-10 Information Input Validation Protects T1574.009 Path Interception by Unquoted Path
SI-3 Malicious Code Protection Protects T1574.009 Path Interception by Unquoted Path
SI-4 System Monitoring Protects T1574.009 Path Interception by Unquoted Path
SI-7 Software, Firmware, and Information Integrity Protects T1574.009 Path Interception by Unquoted Path
azure_sentinel Azure Sentinel technique_scores T1574.009 Path Interception by Unquoted Path
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
    azure_defender_for_app_service Azure Defender for App Service technique_scores T1574.009 Path Interception by Unquoted Path
    Comments
    This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
    References