According to ATT&CK, an adversary may escalate privileges by intercepting the search path for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Hijack Execution Flow Path Interception by Unquoted Path Privilege Escalation, Persistence High

D3FEND Techniques

ID Name
D3-PLA Process Lineage Analysis

Data Model References

Object Action Field
process create command_line
process create image_path
process create parent_exe

Implementations

Pseudocode

Look over all service creations that have a quoted path for the first argument. Assuming these still have an absolute path, look for cases in which the command line has a space, but the exe field is not part of the command line. This would indicate that a different process was intended, but the path was intercepted at an earlier space.

process = search Process:Create
services = filter processes where (parent_exe == "services.exe")
unquoted_services = filter services where (command_line != "\"*" and command_line == "* *")
intercepted_service = filter unquoted_service where (image_path != "* *" and exe not in command_line)
output intercepted_service