Unquoted service or shortcut paths that contain spaces and allow path interception by higher-level executables. Defender observes registry service configurations with unquoted paths, file creation of executables in parent directories of unquoted paths, and subsequent process execution from unexpected locations.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Field | Description |
|---|---|
| MonitoredServices | List of critical services to check for unquoted paths in ImagePath registry keys. |
| SuspiciousBinaryList | Executables with names matching potential interception targets (e.g., program.exe, net.exe). |
| TimeWindow | Correlation interval between file creation in parent directories and execution of unquoted path process. |
| BaselineServiceConfig | Known good service paths for comparison against modified or unquoted values. |