T1574.007 Path Interception by PATH Environment Variable Mappings

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.

The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, <code>%SystemRoot%\system32</code> (e.g., <code>C:\Windows\system32</code>), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.

For example, if <code>C:\example path</code> precedes </code>C:\Windows\system32</code> is in the PATH environment variable, a program that is named net.exe and placed in <code>C:\example path</code> will be called instead of the Windows system "net" when "net" is executed from the command-line.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1574.007 Path Interception by PATH Environment Variable
AC-3 Access Enforcement Protects T1574.007 Path Interception by PATH Environment Variable
AC-4 Information Flow Enforcement Protects T1574.007 Path Interception by PATH Environment Variable
AC-5 Separation of Duties Protects T1574.007 Path Interception by PATH Environment Variable
AC-6 Least Privilege Protects T1574.007 Path Interception by PATH Environment Variable
CA-7 Continuous Monitoring Protects T1574.007 Path Interception by PATH Environment Variable
CA-8 Penetration Testing Protects T1574.007 Path Interception by PATH Environment Variable
CM-2 Baseline Configuration Protects T1574.007 Path Interception by PATH Environment Variable
CM-6 Configuration Settings Protects T1574.007 Path Interception by PATH Environment Variable
CM-7 Least Functionality Protects T1574.007 Path Interception by PATH Environment Variable
CM-8 System Component Inventory Protects T1574.007 Path Interception by PATH Environment Variable
RA-5 Vulnerability Monitoring and Scanning Protects T1574.007 Path Interception by PATH Environment Variable
SI-10 Information Input Validation Protects T1574.007 Path Interception by PATH Environment Variable
SI-3 Malicious Code Protection Protects T1574.007 Path Interception by PATH Environment Variable
SI-4 System Monitoring Protects T1574.007 Path Interception by PATH Environment Variable
SI-7 Software, Firmware, and Information Integrity Protects T1574.007 Path Interception by PATH Environment Variable
azure_sentinel Azure Sentinel technique_scores T1574.007 Path Interception by PATH Environment Variable
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
    azure_defender_for_app_service Azure Defender for App Service technique_scores T1574.007 Path Interception by PATH Environment Variable
    Comments
    This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
    References