Windows Persistence: Path Interception (Unquoted Path)
A simple and quite obvious method of achieving persistence, an attacker can take advantage of the way Windows interprets paths to persist a binary by giving it a specific name and placing it in a strategic location. The real reason I'm going over this method is because I plan on using the path
C:\Program.exe regularly in these posts so you should be aware of its existence.
When Windows gets passed an unquoted path containing a space character it has no way of differentiating between the path to the binary in question and any arguments being passed. For example, when the path
C:\Program Files\IIS Express\iisexpress.exe is placed unquoted in the registry, Windows will check for a binary at each space character by appending .exe to each if it is not already there. In this specific case the paths
C:\Program Files\IIS.exe and
C:\Program Files\IIS Express\iisexpress.exe will be checked and if any is found it will be executed with the rest of the path as parameters. A common method of abuse is to place a program under
C:\Program.exe as this will be common enough to be reliable.
A quite obvious downside to this method is that it is visible to anyone looking through their file structure. Although this could be done in a more targeted and less obvious manner, a high chance of execution would require placing the binary in a more common location such as
C:\Program.exe. In modern versions of windows (XP and later), having a program at
C:\Program.exe causes a warning box informing the user that it has found a binary in that location and it may interfere with other programs.
Another potential drawback is that due to the nature of this method it is not a "reliable" method of persistence in that it does not necessarily execute at a predetermined period (start up, datetime, etc) and instead requires it to be launched by another program.