Detection rules › Sigma
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.009 Boot or Logon Autostart Execution: Shortcut Modification |
| Privilege Escalation | T1547.009 Boot or Logon Autostart Execution: Shortcut Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
TargetFilename: 'C:\program.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | eq |
|