Detect Path Interception By Creation Of program.exe

Description

The search is looking for the creation of program.exe in the C: drive. The creation of this file in that location may be driven by a motive to perform path interception.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Detect Path Interception By Creation Of program.exe Help

This search queries the Endpoint file-system data model node to list out all the values of destination machines, as well as the values of file hashes and file paths that have the file "program.exe" in the C: drive. Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of by the intended target. In this case, applications vulnerable to path interception (because of unquoted service paths with spaces in Windows registry) allow attackers to execute maliciously crafted program.exes.