Esc
Path Interception by Unquoted Path - T1574.009

(ATT&CK® Technique)
Definition

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1574009["Path Interception by Unquoted Path"] --> |creates| ExecutableFile["Executable File"]; class T1574009 OffensiveTechniqueNode;
        class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
        click T1574009 href "/offensive-technique/attack/T1574.009/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";             DecoyFile["Decoy File"] -->
          | spoofs | ExecutableFile["Executable File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1574009["Path Interception by Unquoted Path"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1574009["Path Interception by Unquoted Path"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";                           FileEviction["File Eviction"] -->
          | deletes | ExecutableFile["Executable File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1574009["Path Interception by Unquoted Path"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
          | encrypts | ExecutableFile["Executable File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1574009["Path Interception by Unquoted Path"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";                           LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableFile["Executable File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1574009["Path Interception by Unquoted Path"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1574009["Path Interception by Unquoted Path"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";                         EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1574009["Path Interception by Unquoted Path"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1574009["Path Interception by Unquoted Path"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                           FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1574009["Path Interception by Unquoted Path"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ExecutableFile["Executable File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1574009["Path Interception by Unquoted Path"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";                           ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1574009["Path Interception by Unquoted Path"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";                RestoreFile["Restore File"] -->
          | restores | ExecutableFile["Executable File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1574009["Path Interception by Unquoted Path"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";
json