Abnormal modification of the PATH environment variable or registry keys controlling system paths, combined with execution of binaries named after legitimate system tools from user-writable directories. Defender correlates registry modifications, file creation of suspicious binaries, and process execution paths inconsistent with baseline system directories.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EvenCode=4657 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| MonitoredRegistryKeys | PATH environment keys under HKCU and HKLM to monitor for changes. |
| SuspiciousBinaryList | List of high-value system binaries commonly hijacked (e.g., net.exe, python.exe, powershell.exe). |
| TimeWindow | Correlation window between PATH modification and execution of a hijacked binary. |
User modification of the $PATH environment variable in shell configuration files or direct runtime PATH changes, followed by execution of binaries from user-controlled directories. Defender observes file edits to ~/.bashrc, ~/.profile, or /etc/paths.d and process execution resolving to unexpected binary locations.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d |
| Process Creation (DC0032) | linux:osquery | Execution of binary resolved from $PATH not located in /usr/bin or /bin |
| Field | Description |
|---|---|
| MonitoredShellConfigs | Set of shell startup files where PATH changes should be flagged. |
| AllowedUserBins | Directories (e.g., /usr/local/bin) considered safe to avoid FP. |
Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | File modification in /etc/paths.d or user shell rc files |
| Process Creation (DC0032) | macos:unifiedlog | Process execution path inconsistent with baseline PATH directories |
| Field | Description |
|---|---|
| WatchedPathsDirs | Monitor /etc/paths.d and $HOME for unauthorized entries. |
| TrustedExecutables | Baseline applications expected in user PATH directories. |