AN0176: Analytic 0176
Unquoted service or shortcut paths that contain spaces and allow path interception by higher-level executables. Defender observes registry service configurations with unquoted paths, file creation of executables in parent directories of unquoted paths, and subsequent process execution from unexpected locations.
Analyst context for executives and security teams
This analytic matters because unquoted Windows service or shortcut paths with spaces can create an avoidable path-interception risk. For leaders, the decision value is not just whether the condition exists, but whether the organization can prove it can find weak service configurations, notice suspicious executable placement in parent directories, and investigate unexpected process execution before the issue affects operational resilience.
Executive priority
Prioritize this as a Windows configuration hygiene and detection validation item. It is relevant to vulnerability management, endpoint hardening, SOC visibility, and compliance evidence because it tests whether teams can identify risky service or shortcut path configurations and correlate them with file creation and execution activity. Leaders should ask: where do unquoted paths exist, who owns remediation, and can the SOC show evidence that suspicious follow-on activity would be investigated?
Technical view
For Windows environments, validate coverage across three evidence points described by the analytic: registry service configurations containing unquoted paths with spaces, executable file creation in parent directories of those paths, and process execution from unexpected locations. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection and control-quality analytic rather than attributing it to a specific campaign or intrusion stage.
Likely telemetry
- Windows registry data for service configuration paths
- Endpoint file creation events for executable files
- Process creation telemetry including image path and parent process context
- Service inventory or configuration management data
- Shortcut path inventory where available
Detection direction
- Inventory Windows services and shortcuts with unquoted paths containing spaces, then separate benign legacy/configuration debt from newly introduced risk.
- Correlate risky path configurations with executable creation in higher-level parent directories and subsequent execution from unexpected locations.
- Tune for false positives from legitimate software installers, administrative maintenance, and application updates while preserving alerts for new executables placed in path-interception locations.
- Validate that endpoint telemetry includes full command/image paths; truncated or normalized paths can hide the condition.
- Use local baselines to define expected service executable locations because the supplied object provides no environment-specific allowlist or tactic context.
Mitigation priorities
- Fix unquoted service and shortcut paths by ensuring paths with spaces are properly quoted where applicable.
- Remove unauthorized executables from parent directories associated with risky paths and investigate how they were created.
- Restrict write permissions on directories that could be abused for path interception, especially locations above service executable paths.
- Include this condition in configuration compliance checks and vulnerability management workflows for Windows assets.
- Confirm SOC playbooks cover the registry, file creation, and process execution triad described by the analytic.
Analyst notes and limits
The supplied MITRE object is a detection analytic for Windows focused on unquoted service or shortcut paths and related file/process observations. There are no supplied relationships, aliases, labels, or tactic mappings, so analysis should remain centered on defensive validation and configuration hygiene rather than adversary attribution or campaign context.
Official detection content is not provided, and no relationship context is supplied. Local asset inventory, endpoint logging depth, service ownership, directory permissions, and baseline process behavior are required to determine severity and reduce false positives.
Analytic 0176
Unquoted service or shortcut paths that contain spaces and allow path interception by higher-level executables. Defender observes registry service configurations with unquoted paths, file creation of executables in parent directories of unquoted paths, and subsequent process execution from unexpected locations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 999d58a71924… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0176Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.