Skip to content

Hide Navigation Hide TOC

Creation Exe for Service with Unquoted Path (8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9)

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Cluster A Galaxy A Cluster B Galaxy B Level
Creation Exe for Service with Unquoted Path (8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9) Sigma-Rules Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 1
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 2