1. Home
  2. Techniques
  3. Enterprise
  4. Hijack Execution Flow
  5. Path Interception by PATH Environment Variable

Hijack Execution Flow: Path Interception by PATH Environment Variable

ID Name
T1574.001 DLL
T1574.004 Dylib Hijacking
T1574.005 Executable Installer File Permissions Weakness
T1574.006 Dynamic Linker Hijacking
T1574.007 Path Interception by PATH Environment Variable
T1574.008 Path Interception by Search Order Hijacking
T1574.009 Path Interception by Unquoted Path
T1574.010 Services File Permissions Weakness
T1574.011 Services Registry Permissions Weakness
T1574.012 COR_PROFILER
T1574.013 KernelCallbackTable
T1574.014 AppDomainManager

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.

Adversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.

For example, on Windows if an adversary places a malicious program named "net.exe" in C:\example path, which by default precedes C:\Windows\system32\net.exe in the PATH environment variable, when "net" is executed from the command-line the C:\example path will be called instead of the system's legitimate executable at C:\Windows\system32\net.exe. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a Command and Scripting Interpreter.[1]

Adversaries may also directly modify the $PATH variable specifying the directories to be searched. An adversary can modify the $PATH variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, Unix Shell Configuration Modification, or modifying the /etc/paths.d folder contents.[2][3][4]

ID: T1574.007
Sub-technique of:  T1574
Platforms: Linux, Windows, macOS
Contributors: Stefan Kanthak
Version: 1.2
Created: 13 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1111 DarkGate

DarkGate overrides the %windir% environment variable by setting a Registry key, HKEY_CURRENT_User\Environment\windir, to an alternate command to execute a malicious AutoIt script. This allows DarkGate to run every time the scheduled task DiskCleanup is executed as this uses the path value %windir%\system32\cleanmgr.exe for execution.[5]
S0363 Empire

Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.[6]
S0194 PowerSploit

PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.[7][8]

Mitigations

ID Mitigation Description
M1047 Audit

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[9][10][11]
M1038 Execution Prevention

Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.[12][13][14][15][16][17]
M1022 Restrict File and Directory Permissions

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0004 Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable. AN0009

Abnormal modification of the PATH environment variable or registry keys controlling system paths, combined with execution of binaries named after legitimate system tools from user-writable directories. Defender correlates registry modifications, file creation of suspicious binaries, and process execution paths inconsistent with baseline system directories.
AN0010

User modification of the $PATH environment variable in shell configuration files or direct runtime PATH changes, followed by execution of binaries from user-controlled directories. Defender observes file edits to ~/.bashrc, ~/.profile, or /etc/paths.d and process execution resolving to unexpected binary locations.
AN0011

Modification of PATH or HOME environment variables through shell config files, launchctl, or /etc/paths.d entries, combined with process execution from attacker-controlled directories. Defender correlates file changes in /etc/paths.d with process execution resolving to malicious binaries.

References

  1. ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.
  2. Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.
  3. Vivek Gite. (2023, August 22). MacOS – Set / Change $PATH Variable Command. Retrieved September 28, 2023.
  4. Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.
  5. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  6. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  7. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  8. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  9. Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.
  1. Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.
  2. Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.
  3. Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  4. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  5. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  6. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  7. Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  8. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.