Skip to content

DET0064 Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path

Item Value
ID DET0064
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.009 (Path Interception by Unquoted Path)

Analytics

Windows

AN0176

Unquoted service or shortcut paths that contain spaces and allow path interception by higher-level executables. Defender observes registry service configurations with unquoted paths, file creation of executables in parent directories of unquoted paths, and subsequent process execution from unexpected locations.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Mutable Elements
Field Description
MonitoredServices List of critical services to check for unquoted paths in ImagePath registry keys.
SuspiciousBinaryList Executables with names matching potential interception targets (e.g., program.exe, net.exe).
TimeWindow Correlation interval between file creation in parent directories and execution of unquoted path process.
BaselineServiceConfig Known good service paths for comparison against modified or unquoted values.